FortiAuthenticator v6.2.x and above, FortiGate v6.4.X, v7.0.X, v7.2.X, v7.4.X,v7.6.X.

FortiAuthenticator (FAC) can act as a TACACS+ server to authenticate and authorize admin accounts. It is necessary to configure these steps on FortiAuthenticator:

1. Create a TACACS+ service and add Attribute Value Pairs (AVP) if authorization is required.
2. Create a Rule to assign the created service to.
3. Create a TACACS+ client on FAC. The Tacacs+ service should be enabled on the appropriate network interface.
4. Create a TACACS+ policy to authenticate the user.
5. Assign TACACS+ service to an end user or group.

On the FortiGate side, these steps should be done:

1. Create a TACACS+ server.
2. Create a user group object and bind the already created server.
3. Create an admin user: set up for remote login, wildcard, and access-profile override option.

Start with FortiAuthenticator:

1. Create a TACACS+ service and add AVP for authorization:

• Go to the FortiAuthenticator GUI -> Authentication -> TACACS+ Service -> Authorization -> Services tab, and in the top right corner, select Create New:

• Give a unique service name. The 'Service' name for FortiGate appliances must be the 'fortigate' value for authorization: this service will provide two values of attributes – 'memberof', 'admin_prof'.
  
  

2. Create a Rule to assign the created service to.

• Go to the FortiAuthenticator GUI -> Authentication -> TACACS+ Service -> Authorization -> Rules tab and in the right top corner, select Create New:

• Name the rule and assign the service created before, then select Save:
  
  

3. Go to the FortiAuthenticator GUI -> Authentication -> TACACS+ Service -> Clients, and select Create New to create a TACACS+ Client: 
   
   

•  TACACS+ service must be enabled on the required interface:
  
  

4. Create a TACACS+ policy to authenticate the user. Go to the FortiAuthenticator GUI -> Authentication -> TACACS+ Service -> Policies and select Create New.

• It requires a policy name and a TACACS+ client to match to this policy. After configuring it, select Next:
  
  

• Select which user database source it should be from. In the example, the local user was already selected from the 'admins' group (user groups can be filtered later):
  
  

• Select authentication factors (password only, otp only, etc). After, select the Next button, and the 'Update and Exit' button again.
  
  

5. Now, assign the TACACS+ service to the filtered local user group 'admins'. Go to the Admin GUI -> Authentication -> User Management -> User Groups -> Select the group (in the screenshot, 'admins' was selected as an example) -> TACACS+ authorization rule -> Select service from the dropdown menu:
   
   

Now, configure a FortiGate device:

See this article: Technical Tip: Access using TACACS+ authentication with admin profile and group matching to configure FortiGate as a TACACS+ client, and a third-party TACACS+ server. Troubleshooting steps are included.

1. Create a TACACS+ server on the FortiGate via the CLI:
   
   

config user tacacs+

    edit "FAC_Tac" <- Can be renamed.

        set server "172.20.20.20" <- Subject to adjustment.
        set key fortinet
        set authorization enable <- If authorization is required.

    next

end

2. Add a user group object and make a member of the TACACS+ server. In the example below, the group name was specified as 'tacacs', which it will get from the authorization request:

config user group

    edit "tacacs_admin"

        set member "FAC_Tac"

            config match

                edit 1

                    set server-name "FAC_Tac"
                    set group-name "tacacs"

                next

            end

    next

end​

3. Create an admin group with remote authentication, access profile override, and wildcard group enabled:

config system admin

    edit "tacacs_admin"

        set remote-auth enable

        set accprofile "prof_admin"

        set vdom "root"

        set wildcard enable

        set remote-group "tacacs_admin"

        set accprofile-override enable

    next

end

Testing:

• To show the difference, in the following example, the access-profile override function is disabled, and the testing admin account will be profiled as prof_admin for the root VDOM only:

config system admin

    edit tacacs_admin

get

name : tacacs_admin
remote-auth : enable
...
...
accprofile : prof_admin
vdom : "root"
guest-auth : disable
wildcard : enable
remote-group : tacacs_admin
accprofile-override : disable
vdom-override : disable 

 GUI Console:

• Once the access profile override is enabled, the remote admin account will be profiled as the 'super_admin':

config system admin

    edit "tacacs_admin"

        set remote-auth enable
        set accprofile "prof_admin"
        set vdom "root"
        set wildcard enable
        set remote-group "tacacs_admin"
        set accprofile-override enable

    next

end

GUI console:

diagnose test authserver tacacs+ FAC_Tac local.user fortinet
authenticate user 'local.user' on server 'FAC_Tac' succeeded
Admin profile: super_admin
Group membership(s) - tacacs

Related document:

Creating authorization rules