Description
This article describes the basic commands to debug TACACS+ connection and authentication.
Solution
Some useful information can be gathered as to what is going wrong with TACACS+ authentication by running the commands provided below.
It is usually advised to have two different SSH sessions for the FGT and collect the packet sniffer along with the debugs.
SSH Session 1:.
diagnose sniffer packet any ‘host x.x.x.x and port 49’ 6 0 a
Or
diagnose sniffer packet any ‘host x.x.x.x’ 6 0 a <- x.x.x.x needs to be replaced with the IP address of TACACS+ server.
SSH Session 2.
diagnose debug reset
diagnose debug console timestamp enable
diagnose debug application fnbamd -1
diagnose debug enable
The issue can then be replicated and useful information will be displayed in the debugs.
Also, one can use the FortiGate CLI to directly test the user credentials.
diagnose test authserver tacacs+ <servername> <username> <password>
'OK' output shows as:
authenticate user '<user-test' on server 'tacacs-test' succeeded
