Fortinet black logo

Administration Guide

TACACS+ service

TACACS+ service

Before FortiAuthenticator can accept TACACS+ authentication requests from a client, the device must be registered on FortiAuthenticator, and it must be assigned to a policy. TACACS+ authorization can be specified by creating authorization rules that can be applied to users and user groups in FortiAuthenticator.

The TACACS+ service can be enabled or disabled on each FortiAuthenticator network interface individually. Before you configure the TACACS+ service for use, confirm that it is enabled on the desired FortiAuthenticator network interface(s).

TACACS+ logs are viewable from the debug logs page.

To view the logs, go to (https://<FAC IP>/debug/), and select TACACS+ from the Service dropdown.

Caution

TACACS+ authentication on FortiAuthenticator does not currently support challenge/response, which means:

  • Two-factor authentication is only supported by appending the token to the password during login. For example, where the password is Fortinet and the token PIN is 123456, the password entered by the user will be Fortinet123456.
  • Having end-users change their password during login is not supported.

This section contains the following topics:

TACACS+ service

Before FortiAuthenticator can accept TACACS+ authentication requests from a client, the device must be registered on FortiAuthenticator, and it must be assigned to a policy. TACACS+ authorization can be specified by creating authorization rules that can be applied to users and user groups in FortiAuthenticator.

The TACACS+ service can be enabled or disabled on each FortiAuthenticator network interface individually. Before you configure the TACACS+ service for use, confirm that it is enabled on the desired FortiAuthenticator network interface(s).

TACACS+ logs are viewable from the debug logs page.

To view the logs, go to (https://<FAC IP>/debug/), and select TACACS+ from the Service dropdown.

Caution

TACACS+ authentication on FortiAuthenticator does not currently support challenge/response, which means:

  • Two-factor authentication is only supported by appending the token to the password during login. For example, where the password is Fortinet and the token PIN is 123456, the password entered by the user will be Fortinet123456.
  • Having end-users change their password during login is not supported.

This section contains the following topics: