Created on 10-20-2011 06:33 AM Edited on 11-17-2024 09:37 AM By Stephen_G
Description
This article describes how to configure password authentication and access using a remote TACACS+ server on FortiGate.
Scope
FortiGate provides support for many remote authentication servers, including TACACS+. If deciding to use a TACACS+ server for authentication, FortiGate will forward the user's submitted credentials to it and wait for its response.
Solution
Here is a step-by-step guide:
1. Add the TACACS+ server to the FortiGate using the following commands on the CLI:
config user tacacs+
edit <server name>
set authorization enable
set server <server ip>
set key <server key>
set authen-type chap
next
end
'set authen-type' can have the following options: PAP, MSCHAP, and CHAP, Auto.
Selecting 'Auto' tries PAP, MSCHAP, and CHAP, in that order.
The 'Auto' option does not work with TACACS+, so it is necessary to select the authentication type between the available options.
It is possible to find the server key in the configuration file of the TACACS+ server.
The TACACS+ Servers tab will only appear under the User & Authentication tab after configuring TACACS+ via the CLI:
2. Create a user group and add the server as a member:
config user group
edit <tacacs+ group name>
set member <server name>
next
end
With this method, any user with an account on the remote server can authenticate.
Note:
Another method would be to create TACACS+ user accounts directly on FortiGate. In this case, it is necessary to specify which TACACS+ server wanted to use for each user created:
config user local
edit <user name>
set type tacacs+
set tacacs+-server <server name>
next
end
3. Create an admin user set up for remote login, wildcard, and a no-access profile.
For this step, it is necessary to be in a global context if the FortiGate is configured with VDOMs:
config global
Start by creating the access profile (minimum level so that the access profile on the TACACS+ server can be set on top of it):
config system accprofile
edit noaccess
next
end
Then create the admin wanted:
config system admin
edit <profile name>
set remote-auth enable
set accprofile "noaccess"
set vdom "root"
set wildcard enable
set remote-group <tacacs+ group name>
set accprofile-override enable
next
end
Enabling the override means the ability to give a TACACS+ admin user more rights than the noaccess profile would allow.
TACACS+ server configuration:
Create the wanted users and user groups in the TACACS+ server configuration file.
A basic example:
group = read-only {
default service = permit
}
An admin group example:
group = admins {
default service = permit
service = fortigate {
admin_prof = super_admin
}
}
Calling the 'fortigate' service and setting 'admin_prof' to 'super_admin' allows giving users of this group admin access.
For the wanted users, configure chap as the authentication method to make it work with the FortiGate:
user = <regular user name> {
default service = permit
member = read-only
login = cleartext <password>
chap = cleartext <password>
}
user = <admin user name> {
default service = permit
member = admins
login = cleartext <password>
chap = cleartext <password>
}
Verification:
Admin profile: super_admin
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.