Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
RBA
Staff
Staff

Created on ‎01-31-2025 06:18 AM

Article Id 373821

Troubleshooting Tip: FortiGate admin account with TACACS+ authentication and fallback to local password

Description This article describes how to setup a FortiGate to authenticate and authorize the admin user using TACACS and fallback to local password.
Scope FortiGate.
Solution

Configure an admin user on the FortiGate. Set the type to 'Match a user on the remote server group' as this option would allow to set the local password.

 

tacacs_admin.png

 

Visit this article: Technical Tip: How to configure TACACS+ authentication and authorization in FortiGate to complete the TACACs+ related config for authentication and authorization.

Admin account should be configured as below with the remote authentication and local backup password:

 

config system admin
    edit tacacs
        set remote-auth enable
        set accprofile prof_admin
        set vdom root
        set remote-group tacacs_admin
        set password ENC SH2Rh0YgEgb8KD6bOcUFz7S
        set accprofile-override enable
    next
end

 

Debug logs would show successful authentication when the TACACS+ server is up and running:

 

[579] fnbamd_tac_plus_validate_author_reply-arg cnt 3
[680] __tac_plus_rxtx-Result validating TAC+ rsp: 0
[116] __tac_plus_next_state-State: 'Author' -> 'Done'
[1032] fnbamd_tac_plus_result-
[624] fnbamd_tac_plus_process-Result for TAC+ svr 'FAC_TAC' is 0
[589] __parse_author_reply_args-
[594] __parse_author_reply_args-arg cnt 3
[375] __set_admin_prof-Authorization admin profile 'super_admin'
[363] __add_group-Authorization group 'tacacs'
[1051] fnbamd_tac_plus_result-res=0
[627] fnbam_user_auth_group_match-req id: 71498490273793, server: FAC_TAC, local auth: 0, dn match: 0
[206] find_matched_usr_grps-Passed group matching

 

Authenticating via local credentials can be restricted via global settings when servers are UP:

 

config system global
    set admin-restrict-local { enable | disable} <----- Default is set to disable.
end

 

enable: Enable local admin authentication restriction.
disable: Disable local admin authentication restriction.

 

Admin users can fallback to the local password when TACACS+ servers are completely down however unlike radius remote username would not work here and the locally configured username and password would have to be used (as per the test scenario in v7.4.x).

 

[517] __tac_plus_conn_timeout-Connction with FAC_TAC:10.5.24.70 timed out.
[823] __tac_plus_error-Ret 10, st = 0.
[94] fnbamd_tac_plus_get_next_authen_type-Next authen type pap
[846] __tac_plus_error-Conn failed.
[660] fnbamd_cfg_tac_plus_update_reachability-10.5.24.70, conn_fails

 

Logged in admin list:

 

krypton-kvm07 # get system info admin status
Index User name Login type From
Logged in users: 3
USERNAME TYPE FROM TIME
admin https 10.xx.xx.xx Fri Jan 24 01:59:08 2025
admin jsconsole 10.xx.xx.xx Fri Jan 24 02:04:13 2025
tacacs https 10.xx.xx.xx Fri Jan 24 03:27:26 2025
347
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.