Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
John_Stoker
New Contributor II

Created on ‎04-28-2009 11:01 AM

TACACS+ and/or RADIUS Admin Authentication

We' re hoping to setup TACACS or RADIUS so that when we have a new engineer or one leave we can just remove him/her from the auth server and not have to go to every FG, but so far it looks like you still have to put in the username and pswd for every admin on every FG and it just verifies the username and pswd used matches that on the auth server. Is this the only way and correct way for this to work? Thanks, John
John CISSP, FCNSP Adv(thanks)ance
John CISSP, FCNSP Adv(thanks)ance
5014
0 Kudos
7 REPLIES 7
abelio
SuperUser
SuperUser

Created on ‎04-28-2009 06:11 PM

Is this the only way and correct way for this to work?
not exactly Authentication is always again usergroups. Define your radius or tac+ server and include it within a usergroup; then associate the administrator with the user group. Done. regards

regards




/ Abel

regards / Abel
2409
0 Kudos
Not applicable

Created on ‎01-29-2010 08:06 AM

Hi Abel: I came to same conclusion John did, should I leave the password field blank? Also, can the FGT handle a secure communication to the LDAP/RADIUS/TACACS server? I want to prevent cleartext password in my network. Regards, Sebastian
2409
0 Kudos
abelio
SuperUser
SuperUser
In response to

Created on ‎01-29-2010 12:50 PM

I came to same conclusion John did, should I leave the password field blank?
Not exactly; Authenticate FTG administrators against remote server (Radius, Tac+, etc) has different approach that standard non-administrative users. Indeed, for administrators, you have to include the password in the FTG even when it be authenticated against remote server; If you want block an administrator if the guy leaves your company, change its credentials in the TAC+ server; after that the authentication will fail for that admin. This don' t saves the extra work of entering into each FGT box to remove the administrator user, but you can prevent that him could connect to the box. regards,

regards




/ Abel

regards / Abel
2409
0 Kudos
romanr
Valued Contributor

Created on ‎01-29-2010 08:15 AM

Hi, unfortunately I have not done a Tacacs installation with FortiOS by myself, but would be really interested to hear about administrators being handled via Tacacs. Tacacs+ itself is encrypted transport via tcp!! cheers.roman
2409
0 Kudos
Not applicable

Created on ‎01-29-2010 08:51 AM

Thks
2409
0 Kudos
p768
New Contributor

Created on ‎02-02-2010 12:38 AM

You can configure the FG to use the Wildcard option for TACACS. This way you do not need to provide either the Administrators username or password. The TACACS server authenticates the administrator, and then they are given the Access profile you have specified.
2409
0 Kudos
John_Stoker
New Contributor II

Created on ‎02-09-2010 04:10 PM

You can configure the FG to use the Wildcard option for TACACS. This way you do not need to provide either the Administrators username or password. The TACACS server authenticates the administrator, and then they are given the Access profile you have specified.
p768 THANK YOU!!! Works like a charm! :D
John CISSP, FCNSP Adv(thanks)ance
John CISSP, FCNSP Adv(thanks)ance
2409
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.