Description
This article describes how to configure password authentication and access using a remote TACACS+ server on FortiGate.
Scope
FortiGate provides support for many remote authentication servers, including TACACS+. If deciding to use a TACACS+ server for authentication, FortiGate will forward the user's submitted credentials to it and wait for its response.
Solution
Here is a step-by-step guide:
1. Add the TACACS+ server to the FortiGate using the following commands on the CLI:
config user tacacs+
edit <server name>
set authorization enable
set server <server ip>
set key <server key>
set authen-type chap
next
end
'set authen-type' can have the following options: PAP, MSCHAP, and CHAP, Auto.
Selecting 'Auto' tries PAP, MSCHAP, and CHAP, in that order.
The 'Auto' option does not work with TACACS+, so it is necessary to select the authentication type between the available options.
It is possible to find the server key in the configuration file of the TACACS+ server.
2. Create a user group and add the server as a member:
config user group
edit <tacacs+ group name>
set member <server name>
next
end
With this method, any user with an account on the remote server can authenticate.
Note:
Another method would be to create TACACS+ user accounts directly on FortiGate. In this case, it is necessary to specify which TACACS+ server wanted to use for each user created:
config user local
edit <user name>
set type tacacs+
set tacacs+-server <server name>
next
end
3. Create an admin user set up for remote login, wildcard, and a no-access profile.
For this step, it is necessary to be in a global context if the FortiGate is configured with VDOMs:
config global
Start by creating the access profile (minimum level so that the access profile on the TACACS+ server can be set on top of it):
config system accprofile
edit noaccess
next
end
Then create the admin wanted:
config system admin
edit <profile name>
set remote-auth enable
set accprofile "noaccess"
set vdom "root"
set wildcard enable
set remote-group <tacacs+ group name>
set accprofile-override enable
next
end
Enabling the override means the ability to give a TACACS+ admin user more rights than the noaccess profile would allow.
TACACS+ server configuration:
Create the wanted users and user groups in the TACACS+ server configuration file.
A basic example:
group = read-only {
default service = permit
}
An admin group example:
group = admins {
default service = permit
service = fortigate {
admin_prof = super_admin
}
}
Calling the 'fortigate' service and setting 'admin_prof' to 'super_admin' allows giving users of this group admin access.
For the wanted users, configure chap as the authentication method to make it work with the FortiGate:
user = <regular user name> {
default service = permit
member = read-only
login = cleartext <password>
chap = cleartext <password>
}
user = <admin user name> {
default service = permit
member = admins
login = cleartext <password>
chap = cleartext <password>
}
Verification:
In order to check the configuration, use the following command in the FortiGate CLI:
diagnose test authserver tacacs+ <server name> <user name> <password>
This will test the given credentials against the remote server. It will also give the authenticated user's admin profile.
Example output:
authenticate user 'fortiadmin' on server 'tac_plus' succeeded
Admin profile: super_admin
To restrict local administrators while TACACS+ is reachable:
config system global
set admin-restrict-local enable
end
