TACACS+ is an authentication, authorization, and auditing (AAA) protocol developed by Cisco. It is used to manage administrative access and provide granular control over what users can do on a device or system.

The TACACS+ protocol is designed for authenticating, authorizing, and logging administrative access and not for more complex use cases such as VPN user authentication.

That is why it is not recommended to use TACACS+ as an authentication method for SSL VPN. FortiGate supports TACACS+ primarily for administrative authentication (administrators accessing the device) and not for end users accessing services such as SSL VPN.

SSL VPN requires attributes such as groups, assigned portals, and user profile options, TACACS+ does not support these attributes. In contrast, RADIUS or LDAP are the preferred methods for authenticating users over SSL VPN due to their native support for user and group attributes.

However, even though TACACS+ does not return any group attribute, a local FortiGate group can be mapped with the remote TACACS+ user, thus allowing TACACS+ users to successfully authenticate to the SSL VPN Portal. The drawback of using this method, is that every user will be part of the first local group in FortiGate, regardless of the group that's configured in the TACACS+ server.

In case of TACACS+, if the configured user is a member of the local firewall administrators group, SSL VPN authentication will not be successful for that user.

Active Directory or a RADIUS server as a backend, can be configured directly on FortiGate for SSL VPN authentication supporting the use of advanced attributes.