Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
John_Stoker
New Contributor II

TACACS+ and/or RADIUS Admin Authentication

We' re hoping to setup TACACS or RADIUS so that when we have a new engineer or one leave we can just remove him/her from the auth server and not have to go to every FG, but so far it looks like you still have to put in the username and pswd for every admin on every FG and it just verifies the username and pswd used matches that on the auth server. Is this the only way and correct way for this to work? Thanks, John
John CISSP, FCNSP Adv(thanks)ance
John CISSP, FCNSP Adv(thanks)ance
7 REPLIES 7
abelio
SuperUser
SuperUser

Is this the only way and correct way for this to work?
not exactly Authentication is always again usergroups. Define your radius or tac+ server and include it within a usergroup; then associate the administrator with the user group. Done. regards

regards




/ Abel

regards / Abel
Not applicable

Hi Abel: I came to same conclusion John did, should I leave the password field blank? Also, can the FGT handle a secure communication to the LDAP/RADIUS/TACACS server? I want to prevent cleartext password in my network. Regards, Sebastian
abelio

I came to same conclusion John did, should I leave the password field blank?
Not exactly; Authenticate FTG administrators against remote server (Radius, Tac+, etc) has different approach that standard non-administrative users. Indeed, for administrators, you have to include the password in the FTG even when it be authenticated against remote server; If you want block an administrator if the guy leaves your company, change its credentials in the TAC+ server; after that the authentication will fail for that admin. This don' t saves the extra work of entering into each FGT box to remove the administrator user, but you can prevent that him could connect to the box. regards,

regards




/ Abel

regards / Abel
romanr
Valued Contributor

Hi, unfortunately I have not done a Tacacs installation with FortiOS by myself, but would be really interested to hear about administrators being handled via Tacacs. Tacacs+ itself is encrypted transport via tcp!! cheers.roman
Not applicable

Thks
p768
New Contributor

You can configure the FG to use the Wildcard option for TACACS. This way you do not need to provide either the Administrators username or password. The TACACS server authenticates the administrator, and then they are given the Access profile you have specified.
John_Stoker
New Contributor II

You can configure the FG to use the Wildcard option for TACACS. This way you do not need to provide either the Administrators username or password. The TACACS server authenticates the administrator, and then they are given the Access profile you have specified.
p768 THANK YOU!!! Works like a charm! :D
John CISSP, FCNSP Adv(thanks)ance
John CISSP, FCNSP Adv(thanks)ance
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors