When errors occur in the TACACS+ authentication process, error codes are sent back to the client (the network device trying to authenticate a user). Understanding these error codes can be crucial for troubleshooting authentication issues.

While the TACACS+ protocol does not have an extensive list of explicit error codes like some other protocols, the responses it sends back in its packets do indicate the success or failure of an authentication attempt.

Here are some key responses and their interpretations:

1. PASS: Authentication was successful.
2. FAIL: Authentication failed. This could be due to various reasons, including an incorrect password or a misconfiguration.
3. ERROR: An error occurred during the authentication process. This might be due to issues with the TACACS+ server itself, a misconfigured shared secret, or other server-related problems.
4. FOLLOW: This indicates that there's a subsequent sequence in the authentication process that needs to be followed, often used for multi-step authentication.

FortiGate appliances can utilize TACACS+ for administrative access and authentication. When setting up or maintaining this kind of integration, it is not uncommon to encounter issues. While TACACS+ itself does not have specific error codes like some protocols, FortiGate logs can provide more specific information about any encountered issues.

If TACACS+ issues is troubleshooting on a FortiGate, consider the following steps and common pitfalls:

1. Check the Logs: The FortiGate device will log messages related to TACACS+ authentication attempts. These logs can give insight into what might be going wrong. It is possible to access these logs via the GUI under Log and Report or through the CLI with log-related commands.

2. Shared Secret: A common issue is a mismatch of the shared secret between the TACACS+ server and the FortiGate device. Ensure that the secret is correctly configured on both ends.

3. Server Configuration: Double-check the TACACS+ server settings on the FortiGate. Ensure the IP address, port number, and other server-related configurations match what's set up on the TACACS+ server itself.

4. Server Reachability: Ensure the FortiGate can reach the TACACS+ server. Test with basic network tools like ping or traceroute from the FortiGate CLI.

5. User Profiles: If specific users cannot authenticate, verify that their user profiles on the TACACS+ server are set up correctly and that they are assigned to the right group or privilege level.

6. Timeouts: Adjust the timeout settings if the FortiGate is not getting a response from the TACACS+ server in time. This could be due to network latency or the TACACS+ server being overwhelmed with requests.

7. FortiOS Version: Ensure the FortiGate is running a stable and up-to-date version of FortiOS. Some issues might be resolved in newer firmware releases.

8. TACACS+ Server Logs: Do not just rely on FortiGate logs. The TACACS+ server will also have logs that can provide additional details about authentication attempts. Depending on the TACACS+ server software used, the logging verbosity and location might vary.

9. Packet Captures: If all else fails and it is not possible to pinpoint the issue, consider capturing packets between the FortiGate device and the TACACS+ server. This can help to understand if requests are being sent if there is a response, and what might be going wrong in the communication process.
   
   

Finally, when changes have been made to troubleshoot the issue, always test the TACACS+ authentication again to see if the problem persists. If necessary, consult Fortinet's official documentation or support channels for further assistance.

Related article:

Technical Tip : How to configure TACACS+ authentication and authorization in FortiGate