Help
FortiAuthenticator
FortiAuthenticator provides centralized authentication services for the Fortinet Security Fabric including multi-factor authentication, single sign-on services, certificate management, and guest management.
scollins
Staff
Staff

Created on ‎09-21-2023 08:51 AM Edited on ‎01-01-2026 10:54 PM By Community Manager

Article Id 275156

Technical Tip: FortiAuthenticator as TACACS+ server for FortiGate user authorization

Description

 

This article describes how to configure FortiAuthenticator as a TACACS+ server for FortiGate user authorization.

FortiAuthenticator can perform central authentication as TACACS+ Server and Authorize the admin profile used on FortiGate.

 

Scope

 

Specific users on FortiAuthenticator should be able to authenticate and access the FortiGate with the appropriate admin profile.

 

Solution

 

Generic TACACS+ configuration information can be found for both FortiGate and FortiAuthenticator products in the Fortinet Document Library.

 

For Example:

FortiGate:

TACACS+ servers

 

FortiAuthenticator:

TACACS+ service

 

The link below details the required FortiGate configuration:

Remote administrators with TACACS VSA attributes

 

Configuring FortiAuthenticator Authorization:

Below is an Authorization Service that, when configured, can be allowed in an Authorization Rule and will return the appropriate Vendor-Specific Attributes (VSAs) to the FortiGate during authentication/authorization.

  1. Authorization Service:

 Go to Authentication -> TACACS+ Service -> Authorization, Select Services from the top right menu.

 

Picture4.png

 

  • service: 'fortigate'.
  • admin_prof: The admin profile on the FortiGate that users will be given.
  • memberof: User group that will be matched on the FortiGate.

 

Note:

If the 'set vdom-override' option has been set to 'enable' under the admin user configuration on the FortiGate, then the VDOM VSA can also be configured on the FortiAuthenticator if required (example below):
   Picture7.png

 

  1. Authorization Rule.

 Go to Authentication -> TACACS+ Service -> Authorization, and select Rules (default) from the top right menu.
 Picture5.png

 

Troubleshooting:

  • To verify if the Authorization is working as expected, first log in to FortiAuthenticator via https://x.x.x.x/debug.
  • Navigate to Log categories -> TACACS+ -> Authorization. The logs will be similar to the following:

   

2025-12-09T09:42:08.523056+00:00 FAC01 author_tac_plus[60848]: 10.10.10.2 new.user/TestRule ssh 10.10.10.1 add        test-ssh group1=global-read-write shell=/usr/bin/cli


2025-12-09T09:45:27.104444+00:00 FAC01 author_tac_plus[51146]: 10.10.10.2 new.user/New_Rule ssh 10.10.10.1 add        test-ssh shell=/usr/bin/cli

 

  • More details of the authentication can be seen in the following logs:
  1. Navigate to Log categories -> TACACS+ -> Authentication for details on authentication.
  2. Navigate to Log categories -> TACACS+ -> Accounting for details on accounting.
  3. Navigate to Log categories -> Others -> Kernel for more details on timers and the realm check used for authentication.  
3288
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.