Description
This article describes how to configure password authentication using a remote TACACS+ server for a system admin user, while the authorization is done on the FortiGate.
Solution
1) Add the TACACS+ server to the FortiGate.
From GUI:
# config user tacacs+2) Create a user group and add the server as a member.
edit "TACACS_server"
set server "10.0.3.114"
set key <server key>
set authen-type chap
set authorization enable
next
end
# config user group3) Create the custom access profile.
edit "TACACS_GROUP"
set member "TACACS_server"
next
end
# config system accprofile4) Create the admin user and select the Administrator Profile.
edit "read_only"
set secfabgrp read
set ftviewgrp read
set authgrp read
set sysgrp read
set netgrp read
set loggrp read
set fwgrp read
set vpngrp read
set utmgrp read
set wanoptgrp read
set wifi read
next
end
# config system admin
edit "limited_admin"
set remote-auth enable
set accprofile "read_only"
set vdom "root"
set remote-group "TACACS_GROUP"
next
end
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.