FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
gfantappie
Staff
Staff
Article Id 192810

Description

 

This article describes how to configure password authentication and access using a remote TACACS+ server on FortiGate.


Scope

 

FortiGate provides support for many remote authentication servers, including TACACS+. If deciding to use a TACACS+ server for authentication, FortiGate will forward the user's submitted credentials to it and wait for its response.


Solution


Here is a step-by-step guide:

 

1. Add the TACACS+ server to the FortiGate using the following commands on the CLI:

 

config user tacacs+
    edit <server name>
        set authorization enable
        set server <server ip>
        set key <server key>
        set authen-type chap
    next
end

 

'set authen-type' can have the following options: PAP, MSCHAP, and CHAP, Auto.
Selecting 'Auto' tries PAP, MSCHAP, and CHAP, in that order.

 

The 'Auto' option does not work with TACACS+, so it is necessary to select the authentication type between the available options.
It is possible to find the server key in the configuration file of the TACACS+ server.

 

The TACACS+ Servers tab will only appear under the User & Authentication tab after configuring TACACS+ via the CLI:

 

Screenshot 2024-11-16 170232.png

 

2. Create a user group and add the server as a member:

 

config user group
    edit <tacacs+ group name>
        set member <server name>
    next
end

 

With this method, any user with an account on the remote server can authenticate.

Note: 

Another method would be to create TACACS+ user accounts directly on FortiGate. In this case, it is necessary to specify which TACACS+ server wanted to use for each user created:

 

config user local
    edit <user name>
        set type tacacs+
        set
tacacs+-server <server name>
    next
end

 

3. Create an admin user set up for remote login, wildcard, and a no-access profile.

 

For this step, it is necessary to be in a global context if the FortiGate is configured with VDOMs:

 

config global

 

Start by creating the access profile (minimum level so that the access profile on the TACACS+ server can be set on top of it):

 

config system accprofile
    edit noaccess
    next
end

 

Then create the admin wanted:

 

config system admin
    edit <profile name>
        set remote-auth enable
        set accprofile "noaccess"
        set vdom "root"
        set wildcard enable
        set remote-group <tacacs+ group name>
        set accprofile-override enable
    next
end

 

Enabling the override means the ability to give a TACACS+ admin user more rights than the noaccess profile would allow.

TACACS+ server configuration:

Create the wanted users and user groups in the TACACS+ server configuration file.

A basic
example:

 

group = read-only {
    default service = permit
}

 

An admin group example:

 

group = admins {
    default service = permit
    service = fortigate {
        admin_prof = super_admin
    }
}

 

Calling the 'fortigate' service and setting 'admin_prof' to 'super_admin' allows giving users of this group admin access.

For the wanted users, configure chap as the authentication method to make it work with the FortiGate:

 

user = <regular user name> {
    default service = permit
    member = read-only
    login = cleartext <password>
    chap = cleartext <password>
}

user = <admin user name> {
    default service = permit
    member = admins
    login = cleartext <password>
    chap = cleartext <password>
}

 

Verification:

In order to check the configuration, use the following command in the FortiGate CLI:
 
diagnose test authserver tacacs+ <server name> <user name> <password>
 
This will test the given credentials against the remote server. It will also give the authenticated user's admin profile.
 
Example output:
 
authenticate user 'fortiadmin' on server 'tac_plus' succeeded

Admin profile: super_admin

 

To restrict local administrators while TACACS+ is reachable:
 
config system global
    set admin-restrict-local enable
end