Fortinet black logo

Administration Guide

TACACS+ servers

TACACS+ servers

Terminal Access Controller Access-Control System (TACACS+) is a remote authentication protocol that provides access control for routers, network access servers, and other network computing devices via one or more centralized servers. It allows a client to accept a user name and password and send a query to a TACACS authentication server. The server host determines whether to accept or deny the request and sends a response back that allows or denies network access to the user. The default TCP port for a TACACS+ server is 49.

If you have configured TACACS+ support and an administrator is required to authenticate using a TACACS+ server, the FortiAnalyzer unit contacts the TACACS+ server for authentication. If the TACACS+ server can authenticate the administrator, they are successfully authenticated with the FortiAnalyzer unit. If the TACACS+ server cannot authenticate the administrator, the connection is refused by the FortiAnalyzer unit.

To use a TACACS+ server to authenticate administrators, you must configure the server before configuring the administrator accounts that will use it.

To add a TACACS+ server:
  1. Go to System Settings > Admin > Remote Authentication Server.
  2. Select Create New > TACACS+ Server from the toolbar. The New TACACS+ Server pane opens.

  3. Configure the following settings, and then click OK to add the TACACS+ server.

    Name

    Enter a name to identify the TACACS+ server.

    Server Name/IP

    Enter the IP address or fully qualified domain name of the TACACS+ server.

    Port

    Enter the port for TACACS+ traffic. The default port is 49.

    Server Key

    Enter the key to access the TACACS+ server. The server key can be a maximum of 16 characters in length.

    Authentication Type

    Select the authentication type the TACACS+ server requires. If you select the default ANY, FortiAnalyzer tries all authentication types.

TACACS+ servers

Terminal Access Controller Access-Control System (TACACS+) is a remote authentication protocol that provides access control for routers, network access servers, and other network computing devices via one or more centralized servers. It allows a client to accept a user name and password and send a query to a TACACS authentication server. The server host determines whether to accept or deny the request and sends a response back that allows or denies network access to the user. The default TCP port for a TACACS+ server is 49.

If you have configured TACACS+ support and an administrator is required to authenticate using a TACACS+ server, the FortiAnalyzer unit contacts the TACACS+ server for authentication. If the TACACS+ server can authenticate the administrator, they are successfully authenticated with the FortiAnalyzer unit. If the TACACS+ server cannot authenticate the administrator, the connection is refused by the FortiAnalyzer unit.

To use a TACACS+ server to authenticate administrators, you must configure the server before configuring the administrator accounts that will use it.

To add a TACACS+ server:
  1. Go to System Settings > Admin > Remote Authentication Server.
  2. Select Create New > TACACS+ Server from the toolbar. The New TACACS+ Server pane opens.

  3. Configure the following settings, and then click OK to add the TACACS+ server.

    Name

    Enter a name to identify the TACACS+ server.

    Server Name/IP

    Enter the IP address or fully qualified domain name of the TACACS+ server.

    Port

    Enter the port for TACACS+ traffic. The default port is 49.

    Server Key

    Enter the key to access the TACACS+ server. The server key can be a maximum of 16 characters in length.

    Authentication Type

    Select the authentication type the TACACS+ server requires. If you select the default ANY, FortiAnalyzer tries all authentication types.