Description

This article describes how to configure password authentication and access using a remote TACACS+ server on FortiGate.

Scope

FortiGate provides support for many remote authentication servers, including TACACS+. If deciding to use a TACACS+ server for authentication, FortiGate will forward the user's submitted credentials to it and wait for its response.

Solution

Here is a step-by-step guide:

1. Add the TACACS+ server to the FortiGate using the following commands on the CLI:

config user tacacs+
    edit <server name>
        set authorization enable
        set server <server ip>
        set key <server key>
        set authen-type chap
    next
end

'set authen-type' can have the following options: PAP, MSCHAP, and CHAP, Auto.
Selecting 'Auto' tries PAP, MSCHAP, and CHAP, in that order.

The 'Auto' option does not work with TACACS+, so it is necessary to select the authentication type between the available options.
It is possible to find the server key in the configuration file of the TACACS+ server.

The TACACS+ Servers tab will only appear under the User & Authentication tab after configuring TACACS+ via the CLI:

2. Create a user group and add the server as a member:

config user group
    edit <tacacs+ group name>
        set member <server name>
    next
end

With this method, any user with an account on the remote server can authenticate.

Note: 

Another method would be to create TACACS+ user accounts directly on FortiGate. In this case, it is necessary to specify which TACACS+ server wanted to use for each user created:

config user local
    edit <user name>
        set type tacacs+
        set tacacs+-server <server name>
    next
end

3. Create an admin user set up for remote login, wildcard, and a no-access profile.

For this step, it is necessary to be in a global context if the FortiGate is configured with VDOMs:

config global

Start by creating the access profile (minimum level so that the access profile on the TACACS+ server can be set on top of it):

config system accprofile
    edit noaccess
    next
end

Then create the admin wanted:

config system admin
    edit <profile name>
        set remote-auth enable
        set accprofile "noaccess"
        set vdom "root"
        set wildcard enable
        set remote-group <tacacs+ group name>
        set accprofile-override enable
    next
end

Enabling the override means the ability to give a TACACS+ admin user more rights than the noaccess profile would allow.

TACACS+ server configuration:

Create the wanted users and user groups in the TACACS+ server configuration file.

A basic example:

group = read-only {
    default service = permit
}

An admin group example:

group = admins {
    default service = permit
    service = fortigate {
        admin_prof = super_admin
    }
}

Calling the 'fortigate' service and setting 'admin_prof' to 'super_admin' allows giving users of this group admin access.

For the wanted users, configure chap as the authentication method to make it work with the FortiGate:

user = <regular user name> {
    default service = permit
    member = read-only
    login = cleartext <password>
    chap = cleartext <password>
}

user = <admin user name> {
    default service = permit
    member = admins
    login = cleartext <password>
    chap = cleartext <password>
}

Verification:

Admin profile: super_admin