TACACS+ clients can be managed from Authentication > TACACS+ Service > Clients.
Clients can be added, imported, deleted, and edited as needed.
TACACS+ clients must use single-connection mode when using FortiAuthenticator for TACACS+ AAA.
Once created, clients can be assigned to a TACACS+ policy. See Creating policies.
- Go to Authentication > TACACS+ Service > Clients, and click Create New to add a new TACACS+ client.
The Create New TACACS+ Client window opens.
- Enter the following information:
Name Input a name to identify the TACACS+ client.
Choose to specify the client address as an IP address or Subnet.
IP Address/Subnet Enter the IP address or subnet of the client. Secret Enter the TACACS+ passphrase that is shared with the client.
- Select OK to add the new TACACS+ client.
If authentication fails, check that the authentication client is configured and that its IP address is correctly specified. Common causes of authentication problems are:
TACACS+ on FortiAuthenticator supports the ASCII and PAP authentication types. Other authentication types supported by the TACACS+ protocol (CHAP and MSCHAPv2) will be denied.
When configuring TACACS+ settings on a client, for example FortiGate, the ASCII authentication type must be selected.
- Go to Authentication > TACACS+ Service > Clients, and click Import.
The Import TACACS+ Clients window opens.
- Click Upload a file and choose the file location of the CSV file containing your TACACS+ client list.
Each line of the CSV file must contain values in the following format:
- Name: String.
- Address: IP address or subnet.
- Secret: String.
- Policy: Name of a TACACS+ policy (optional).
- Unique IP and policy:
- Subnet and no policy:
- Click OK.