FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 192810



This article describes how to configure password authentication and access using a remote TACACS+ server on FortiGate.



FortiGate provides support for many remote authentication servers, including TACACS+. If deciding to use a TACACS+ server for authentication, FortiGate will forward the user's submitted credentials to it and wait for its response.


Here is a step-by-step guide:


1. Add the TACACS+ server to the FortiGate using the following commands on the CLI:


config user tacacs+
    edit <server name>
        set authorization enable
        set server <server ip>
        set key <server key>
        set authen-type chap


'set authen-type' can have the following options: PAP, MSCHAP, and CHAP, Auto.
Selecting 'Auto' tries PAP, MSCHAP, and CHAP, in that order.


The 'Auto' option does not work with TACACS+, so it is necessary to select the authentication type between the available options.
It is possible to find the server key in the configuration file of the TACACS+ server.


2. Create a user group and add the server as a member:


config user group
    edit <tacacs+ group name>
        set member <server name>


With this method, any user with an account on the remote server can authenticate.


Another method would be to create TACACS+ user accounts directly on FortiGate. In this case, it is necessary to specify which TACACS+ server wanted to use for each user created:


config user local
    edit <user name>
        set type tacacs+
tacacs+-server <server name>


3. Create an admin user set up for remote login, wildcard, and a no-access profile.


For this step, it is necessary to be in a global context if the FortiGate is configured with VDOMs:


config global


Start by creating the access profile (minimum level so that the access profile on the TACACS+ server can be set on top of it):


config system accprofile
    edit noaccess


Then create the admin wanted:


config system admin
    edit <profile name>
        set remote-auth enable
        set accprofile "noaccess"
        set vdom "root"
        set wildcard enable
        set remote-group <tacacs+ group name>
        set accprofile-override enable


Enabling the override means the ability to give a TACACS+ admin user more rights than the noaccess profile would allow.

TACACS+ server configuration:

Create the wanted users and user groups in the TACACS+ server configuration file.

A basic


group = read-only {
    default service = permit


An admin group example:


group = admins {
    default service = permit
    service = fortigate {
        admin_prof = super_admin


Calling the 'fortigate' service and setting 'admin_prof' to 'super_admin' allows giving users of this group admin access.

For the wanted users, configure chap as the authentication method to make it work with the FortiGate:


user = <regular user name> {
    default service = permit
    member = read-only
    login = cleartext <password>
    chap = cleartext <password>

user = <admin user name> {
    default service = permit
    member = admins
    login = cleartext <password>
    chap = cleartext <password>



In order to check the configuration, use the following command in the FortiGate CLI:
diagnose test authserver tacacs+ <server name> <user name> <password>
This will test the given credentials against the remote server. It will also give the authenticated user's admin profile.
Example output:
authenticate user 'fortiadmin' on server 'tac_plus' succeeded

Admin profile: super_admin


To restrict local administrators while TACACS+ is reachable:
config system global
    set admin-restrict-local enable