Fortinet black logo

CLI Reference

6.0.0
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.1
6.0.0
5.6.0
5.4.0
5.2.0
5.0.0

user tacacs+

user tacacs+

Use this command to add or edit information used for Terminal Access Controller Access-Control System (TACACS+) authentication, a remote authentication protocol used to communicate with an authentication server. The default port for a TACACS+ server is 49. A maximum of 10 remote TACACS+ servers can be configured, and alternative authentication methods can be set for each server. These methods include CHAP, PAP, MS-CHAP, and ASCII. The host name for TACACS+ servers must comply with RFC1035.

config user tacacs+
    edit {name}
    # Configure TACACS+ server entries.
        set name {string}   TACACS+ server entry name. size[35]
        set server {string}   Primary TACACS+ server CN domain name or IP address. size[63]
        set secondary-server {string}   Secondary TACACS+ server CN domain name or IP address. size[63]
        set tertiary-server {string}   Tertiary TACACS+ server CN domain name or IP address. size[63]
        set port {integer}   Port number of the TACACS+ server. range[1-65535]
        set key {password_string}   Key to access the primary server. size[128]
        set secondary-key {password_string}   Key to access the secondary server. size[128]
        set tertiary-key {password_string}   Key to access the tertiary server. size[128]
        set authen-type {option}   Allowed authentication protocols/methods.
                mschap  MSCHAP.
                chap    CHAP.
                pap     PAP.
                ascii   ASCII.
                auto    Use PAP, MSCHAP, and CHAP (in that order).
        set authorization {enable | disable}   Enable/disable TACACS+ authorization.
        set source-ip {string}   source IP for communications to TACACS+ server. size[63]
    next
end

Additional information

The following section is for those options that require additional explanation.

authen-type {mschap | chap | pap | ascii | auto}

Authentication method for this TACACS+ server.

  • mschap: MS-CHAP
  • chap: Challenge Handshake Authentication Protocol
  • pap: Password Authentication Protocol
  • ascii: American Standard Code for Information Interchange, a protocol that represents characters as numerical values.
  • auto: Uses PAP, MS-CHAP, and CHAP (in that order). This is set by default.

authorization {enable | disable}

Enable or disable (by default) TACACS+ authorization.

key <key>

Key used to access the server.

port <port>

TACACS+ port number for this server. Set the value between 1-65535. The default is set to 49.

secondary-key <key>

Key used to access the second server.

secondary-server <name/ip>

Name or IP address of the second sever.

server <name/ip>

Name or IP address of the TACACS+ sever.

source-ip <src-ip>

Enter the source IP address for communications to the TACACS+ server.

tertiary-key <key>

Key used to access the third server.

tertiary-server <name/ip>

Name or IP address of the third sever.

Previous
Next

user tacacs+

Use this command to add or edit information used for Terminal Access Controller Access-Control System (TACACS+) authentication, a remote authentication protocol used to communicate with an authentication server. The default port for a TACACS+ server is 49. A maximum of 10 remote TACACS+ servers can be configured, and alternative authentication methods can be set for each server. These methods include CHAP, PAP, MS-CHAP, and ASCII. The host name for TACACS+ servers must comply with RFC1035.

config user tacacs+
    edit {name}
    # Configure TACACS+ server entries.
        set name {string}   TACACS+ server entry name. size[35]
        set server {string}   Primary TACACS+ server CN domain name or IP address. size[63]
        set secondary-server {string}   Secondary TACACS+ server CN domain name or IP address. size[63]
        set tertiary-server {string}   Tertiary TACACS+ server CN domain name or IP address. size[63]
        set port {integer}   Port number of the TACACS+ server. range[1-65535]
        set key {password_string}   Key to access the primary server. size[128]
        set secondary-key {password_string}   Key to access the secondary server. size[128]
        set tertiary-key {password_string}   Key to access the tertiary server. size[128]
        set authen-type {option}   Allowed authentication protocols/methods.
                mschap  MSCHAP.
                chap    CHAP.
                pap     PAP.
                ascii   ASCII.
                auto    Use PAP, MSCHAP, and CHAP (in that order).
        set authorization {enable | disable}   Enable/disable TACACS+ authorization.
        set source-ip {string}   source IP for communications to TACACS+ server. size[63]
    next
end

Additional information

The following section is for those options that require additional explanation.

authen-type {mschap | chap | pap | ascii | auto}

Authentication method for this TACACS+ server.

  • mschap: MS-CHAP
  • chap: Challenge Handshake Authentication Protocol
  • pap: Password Authentication Protocol
  • ascii: American Standard Code for Information Interchange, a protocol that represents characters as numerical values.
  • auto: Uses PAP, MS-CHAP, and CHAP (in that order). This is set by default.

authorization {enable | disable}

Enable or disable (by default) TACACS+ authorization.

key <key>

Key used to access the server.

port <port>

TACACS+ port number for this server. Set the value between 1-65535. The default is set to 49.

secondary-key <key>

Key used to access the second server.

secondary-server <name/ip>

Name or IP address of the second sever.

server <name/ip>

Name or IP address of the TACACS+ sever.

source-ip <src-ip>

Enter the source IP address for communications to the TACACS+ server.

tertiary-key <key>

Key used to access the third server.

tertiary-server <name/ip>

Name or IP address of the third sever.

Previous
Next