Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Summer Badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiSASE Sovereign
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiADC
- FortiAIOps
- FortiAnalyzer
- FortiAP
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCare Services
- FortiCarrier
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiData
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevice
- FortiDevSec
- FortiDirector
- FortiEdgeCloud
- FortiEDR
- FortiEndpoint
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiGuest
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiPresence
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiSASE Sovereign
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiAppSec Cloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
FortiSwitch
FortiSwitch: secure, simple and scalable Ethernet solutions
- Fortinet Community
- Knowledge Base
- FortiSwitch
- Technical Tip: Use VSA attributes to assign admini...
Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Description
This article describes how to use VSA attributes to assing administration profiles using TACACS+ authentication under FortiSwitch.
Scope
All FortiSwitch models and versions.
Solution
FortiSwitch devices support RBAC for administrative access. It is possible to use VSA attributes to assing an access profile when remote autenticate users using TACACS+ by sending group-name atributte value on TACACS+ successful authtentication response.
Consider that by default, FortiSwitch devices have only a prof_admin profile.
config system accprofile
edit "prof_admin"
set admingrp read-write
set exec-alias-grp read-write
set loggrp read-write
set mntgrp read-write
set netgrp read-write
set pktmongrp read-write
set routegrp read-write
set swcoregrp read-write
set swmonguardgrp read-write
set sysgrp read-write
set utilgrp read-write
next
It is possible to create as many access profiles as needed on the same configuration section and customize access as needed.
edit "prof_read"
set admingrp read
set exec-alias-grp read
...trunked output...
set utilgrp read
end
Now it is possible to configure user groups and identify a user group using the group-name VSA attribute value as a value for the remote-group under the user group configuration.
config user group
edit "full-acces"
set member "test"
config match
edit 1
set server-name "TACACS"
set group-name "full-admin" <---- group-name VSA TACACS value.
next
end
edit "ro-access"
set member "ro-access"
config match
edit 1
set server-name "TACACS"
set group-name "ro-admin" <---- group-name VSA TACACS value.
next
end
Then assign administration profiles to a remote user group:
config system admin
edit "ADMIN"
set remote-auth enable
set accprofile "prof_admin" <------ Access profile.
set wildcard enable
set remote-group "test" <---- User group.
next
edit "RO_ADMIN"
set remote-auth enable
set accprofile "prof_read" <------ Access profile.
set wildcard enable
set remote-group "ro-access" <---- User group.
end
Refer to the article below to know the general TACACS+ configuration process on a FortiSwitch device:
Labels:
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.