Description
This article describes the basics of TACACS+ authentication, how this can be used for authorization, and general troubleshooting logs.
Scope
FortiAuthenticator.
Solution
Provides Authentication, Accounting, and Authorization for devices as routers, switches, firewalls, and servers. Uses TCP port 49, and the payload is encrypted, providing security.
Working:
- User attempts to log in.
- Username is checked locally; if present, it is forwarded to the TACACS+ server.
- Password is verified successfully, forwarded, and processed to verify the Trusted host list.
- The required profiles and resources are allowed for the user.
- Successful authentication returns the Vendor-specific attributes (VSA) as per the specified user group.
Successful snippets of logs for reference.
TACACS+ Authentication logs:
2025-12-09T09:42:08.789839+00:00 FAC01 authen_tac_plus[2916]: 10.10.10.2 test1 ssh 10.10.10.1 pap login succeeded
2025-12-09T09:42:08.826070+00:00 FAC01 authen_tac_plus[44930]: 10.10.10.2 test1 ssh 10.10.10.1 pap login succeeded
TACACS+ Accounting logs:
2025-12-09T09:42:09.802826+00:00 FAC01 acct_tac_plus[2916]: 10.10.10.2 test1 ssh 10.10.10.1 start start_time=1215575841 task_id=64612 service=test-ssh protocol=ip
TACACS+ Authorization logs:
2025-12-09T09:42:08.523056+00:00 FAC01 author_tac_plus[60848]: 10.10.10.2 new.user/TestRule ssh 10.10.10.1 add test-ssh group1=global-read-write shell=/usr/bin/cli
Troubleshooting Commands:
- For Packet capture on FortiGate, diagnose sniffer packet any ‘hostx.x.x.xand port 49’ 6 0 a.
- To test the credentials directly from FortiGate, use the command 'diagnose test authserver tacacs+ <servername> <username> <password>'.
- Packet capture on FortiAuthenticator using the command, execute tcpdump -c2 -v -i port host x.x.x.x and port 49.
- On FortiAuthenticator, more logs can be viewed by downloading:
- FortiAuthenticator/Logging/Log Access/Logs -> Downloads drop-down list -> Authentication.
- FortiAuthenticator/Logging/Log Access/Logs -> Downloads drop-down list -> Accounting.
- FortiAuthenticator/Logging/Log Access/Logs -> Downloads drop-down list -> Authorization.
Related articles:
FortiAuthenticator can be used as a TACACS+ server for Cisco Switch. Refer to Technical Tip: FortiAuthenticator as TACACS+ server for Cisco switch and clear pass for remote user ....
FortiAuthenticator can be used as a TACACS server, and FortiGate as the TACACS+ client. Refer to Technical Tip: Configure FortiAuthenticator as TACACS+ server, and FortiGate as TACACS+ client for a...
FortiAuthenticator is used as the TACACS+ server with FortiAnalyzer/FortiManager. Refer to Technical Tip: FortiAuthenticator as TACACS+ server for FortiAnalyzer / FortiManager user authorizat...
FortiAuthenticator is used as the TACACS+ server with steps for user authorization. Refer to Technical Tip: FortiAuthenticator as TACACS+ server for FortiGate user authorization.
