FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
ighita
Staff
Staff
Description
This article describes how to configure password authentication using a remote TACACS+ server for a system admin user, while the authorization is done on the FortiGate.

Solution
1) Add the TACACS+ server to the FortiGate.

From GUI:





From CLI:
# config user tacacs+
    edit "TACACS_server"
        set server "10.0.3.114"
        set key <server key>
        set authen-type chap
        set authorization enable
    next
end
2) Create a user group and add the server as a member.

From GUI:




From CLI:
# config user group
    edit "TACACS_GROUP"
        set member "TACACS_server"
    next
end
3) Create the custom access profile.

From GUI:



From CLI:
# config system accprofile
    edit "read_only"
        set secfabgrp read
        set ftviewgrp read
        set authgrp read
        set sysgrp read
        set netgrp read
        set loggrp read
        set fwgrp read
        set vpngrp read
        set utmgrp read
        set wanoptgrp read
        set wifi read
    next
end
4) Create the admin user and select the Administrator Profile.

From GUI:




From CLI:
# config system admin
    edit "limited_admin"
        set remote-auth enable
        set accprofile "read_only"
        set vdom "root"
        set remote-group "TACACS_GROUP"
    next
end

Contributors