Technical Tip: FortiAuthenticator as TACACS+ server for FortiGate user authorization

scollins · ‎09-21-2023

Description

This article describes how to configure FortiAuthenticator as a TACACS+ server for FortiGate user authorization.

FortiAuthenticator can perform central authentication as TACACS+ Server and Authorize the admin profile used on FortiGates.

Scope

Specific users on FortiAuthenticator should be able to authenticate and access the FortiGate with the appropriate admin profile.

Solution

Generic TACACS+ configuration information can be found for both Fortigate and FortiAuthenticator products in the Fortinet Document Library.

For Example:

FortiGate:

TACACS+ servers

FortiAuthenticator:

TACACS+ service

The below link details the required Fortigate configuration:

Remote administrators with TACACS VSA attributes

Configuring FortiAuthenticator Authorization:

The below is an Authorization Service that when configured can be allowed in an Authorization Rule and will return the appropriate Vendor-Specific Attributes (VSAs) to the FortiGate during authentication/authorization.

Authorization Service:

Go to Authentication -> TACACS+ Service -> Authorization, Select Services from the top right menu.

service: 'fortigate'.
admin_prof: The admin profile on the FortiGate that users will be given.
memberof: User group that will be matched on the FortiGate.

Note:

If the 'set vdom-override' option has been set to 'enable' under the admin user configuration on the FortiGate, then the VDOM VSA can also be configured on the FortiAuthenticator if required (example below):

Authorization Rule

Go to Authentication -> TACACS+ Service >- Authorization, and select Rules (default) from the top right menu.