TACACS+ is a solution to use device management, this protocol can provide user authentication, and the intention is to secure the network devices with a centralized system, TACACS+ uses TCP port 49.

In this example, a FortiSwitch will be configured on Standalone mode, the TACACS+ Server is a KVM Forti Authenticator hosted on Ubuntu Server machine.

1. Configure the TACACS user account to authenticate, IP 10.10.70.90 is from the TACACS+ Server KVM Forti Authenticator, and the FortiSwitch IP is 10.10.70.4, remember the key must be the same on the TACACS+ and under FortiSwitch:

FortiSwitch # config user tacacs+
config user tacacs+
    edit "FAC-TACACS"
        set authen-type auto
        set authorization enable
        set key ENC r2cfBEFAX4xK4GCaIebrTigvgf8KfEjk0n/ElOj+ML6R6LL3q1rAXSAMWZWSh/ViryQqt8ln9pE1D/m6tYdSPPhbP+WI72a7GqIcBj4pHRhUqZCFFOvfuhb4lry/5+sOxwt2E8UJbPXOs2ng8/qNQ0+aBsoQcDGSo7P9NC4YdGWnqnXw
        set port 49
        set server "10.10.70.90"
        set source-ip 0.0.0.0
    next

end

2. Configure the TACACS+user group and we need to include the member created on step 1:

FortiSwitch (group) # edit TACACS_Group

    set group-type firewall
    set authtimeout 0
    set http-digest-realm ''
    set member "FAC-TACACS"
next
end

3. Configure the TACACS+ system admin user account. It is necessary to point to the group created in step 2:

FortiSwitch # config system admin

    edit "userswitch"
        set remote-auth enable
        set accprofile "prof_admin"
        set wildcard enable
        set remote-group "TACACS_Group"
    next
end

Now let's configure our KVM Forti Authenticator as TACAC+ Server, it is considered that Switch and TACACS+ are under the same segment:

1. Include the FortiSwitch IP as a client:  Go to Authentication  -> TACACS+ Service  -> Clients, in this example, the entire segment is included:

2. Create the policy, this will check the authentication method and will move the clients to the policy: Go to Authentication -> TACACS+ Service -> Policies, and select 'Create New'. A new TACACS+ Policy Wizard will be open, move from left to right the segment created.

Select the Username format:

Select the Authentication factor:

Finish the configuration policy Update and exit:

3. To create authorization rules, go to Authentication -> TACACS+ Service -> Authorization. Authorization rules can be specified within user groups or on individual user accounts.

4. To create a Local User, go to Authentication -> User Management -> Local Users and select 'Create New'. Select under the TACACS+ menu the Rule created before RuleFortiSwitch for this user called rgreen3:

5. Assign the authorization rule, move from left to right the user created, in this case, rgreen3, and under the dropdown button TACACS+ authorization rule select the RuleFortiSwitch created before go to Authentication -> User Management -> User Groups.

Let's test the configuration, go to the FortiSwitch, and check that it is logged as an admin account:

FortiSwitch # diagnose test authserver tacacs+ FAC-TACACS rgreen3 fortinet
authenticate user 'rgreen3' on server 'FAC-TACACS' succeeded

Let´s log out from the admin account and use the rgreen3 user instead:

Under FortiAuthenticator TACACS+ Server,  the user is  authenticated correctly:

10.10.70.4 pap login for 'rgreen3~10.10.70.4' (realm: radiusRealm) (realm: radiusRealm) succeeded
10.10.70.4 pap login for 'rgreen3~10.10.70.4' (realm: radiusRealm) (realm: radiusRealm) succeeded