Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Adding clients

TACACS+ clients can be managed from Authentication > TACACS+ Service > Clients.

Clients can be added, imported, deleted, and edited as needed.

TACACS+ clients must use single-connection mode when using FortiAuthenticator for TACACS+ AAA.

Once created, clients can be assigned to a TACACS+ policy. See Creating policies.

To configure a TACACS+ client:
  1. Go to Authentication > TACACS+ Service > Clients, and click Create New to add a new TACACS+ client.
    The Create New TACACS+ Client window opens.
  2. Enter the following information:
    Name Input a name to identify the TACACS+ client.

    Client address

    Choose to specify the client address as an IP address or Subnet.

    IP Address/Subnet Enter the IP address or subnet of the client.
    Secret Enter the TACACS+ passphrase that is shared with the client.
  3. Select OK to add the new TACACS+ client.
Tooltip

If authentication fails, check that the authentication client is configured and that its IP address is correctly specified. Common causes of authentication problems are:

  • TACACS+ packets sent from an unexpected interface, or IP address.
  • NAT performed between the authentication client and FortiAuthenticator.
Tooltip

TACACS+ on FortiAuthenticator supports the ASCII authentication type. Other authentication types supported by the TACACS+ protocol (PAP, CHAP, and MSCHAPv2) will be denied.

When configuring TACACS+ settings on a client, for example FortiGate, the ASCII authentication type must be selected.

To import TACACS+ clients:
  1. Go to Authentication > TACACS+ Service > Clients, and click Import.
    The Import TACACS+ Clients window opens.
  2. Click Upload a file and choose the file location of the CSV file containing your TACACS+ client list.

    Each line of the CSV file must contain values in the following format:

    • Name: String.
    • Address: IP address or subnet.
    • Secret: String.
    • Policy: Name of a TACACS+ policy (optional).

    For example:

    • Unique IP and policy: myclient,1.2.3.4,secret123,mypolicy
    • Subnet and no policy: myclients,1.2.3.0/24,secret123,
  3. Click OK.

Adding clients

TACACS+ clients can be managed from Authentication > TACACS+ Service > Clients.

Clients can be added, imported, deleted, and edited as needed.

TACACS+ clients must use single-connection mode when using FortiAuthenticator for TACACS+ AAA.

Once created, clients can be assigned to a TACACS+ policy. See Creating policies.

To configure a TACACS+ client:
  1. Go to Authentication > TACACS+ Service > Clients, and click Create New to add a new TACACS+ client.
    The Create New TACACS+ Client window opens.
  2. Enter the following information:
    Name Input a name to identify the TACACS+ client.

    Client address

    Choose to specify the client address as an IP address or Subnet.

    IP Address/Subnet Enter the IP address or subnet of the client.
    Secret Enter the TACACS+ passphrase that is shared with the client.
  3. Select OK to add the new TACACS+ client.
Tooltip

If authentication fails, check that the authentication client is configured and that its IP address is correctly specified. Common causes of authentication problems are:

  • TACACS+ packets sent from an unexpected interface, or IP address.
  • NAT performed between the authentication client and FortiAuthenticator.
Tooltip

TACACS+ on FortiAuthenticator supports the ASCII authentication type. Other authentication types supported by the TACACS+ protocol (PAP, CHAP, and MSCHAPv2) will be denied.

When configuring TACACS+ settings on a client, for example FortiGate, the ASCII authentication type must be selected.

To import TACACS+ clients:
  1. Go to Authentication > TACACS+ Service > Clients, and click Import.
    The Import TACACS+ Clients window opens.
  2. Click Upload a file and choose the file location of the CSV file containing your TACACS+ client list.

    Each line of the CSV file must contain values in the following format:

    • Name: String.
    • Address: IP address or subnet.
    • Secret: String.
    • Policy: Name of a TACACS+ policy (optional).

    For example:

    • Unique IP and policy: myclient,1.2.3.4,secret123,mypolicy
    • Subnet and no policy: myclients,1.2.3.0/24,secret123,
  3. Click OK.