TACACS+ Authentication
Terminal Access Controller Access-Control System Plus (TACACS+) is a remote authentication protocol that runs on a TACACS+ server on the network and is similar to RADIUS authentication. There are some differences between the two, however. RADIUS combines authentication and authorization in one user profile, while TACACS+ separates the two operations. Another difference is that TACACS+ uses TCP port 49 while RADIUS uses UDP port 1812. FortiWLC (SD) supports TACACS+ authentication but not accounting; FortiWLC (SD) supports both RADIUS authentication and accounting. Only the Cisco ACS server is supported for Tacacs+ authentication.
The TACACS+ level required, 15 (superuser), 10 – 14 (admin), and 1 – 9 (user), for the activity on the current GUI window is listed in the Help. Click Help on any GUI window of FortiWLC (SD). In the CLI, all command lists also include the required authentication level, which is also now used for both RADIUS and local admin authentication in Release 5.1. TACACS+ actually provides eight levels, but Fortinet only uses the three authentication levels described here. The three levels used are described below:
| 1 | Operator is the lowest authentication level and also the default. Operators can see statistics and results but cannot make any configuration changes. |
TACACS+ Authentication
| 10 | Administrators can also do general configuration changes, but cannot upgrade APs or controllers, nor can they upgrade FortiWLC (SD) versions using Telnet. The cannot configure an NMS server, NTP server, change the system password, date or time (all CLI). They cannot create admin accounts nor can they set the authentication mode for a controller (GUI and CLI). Administrators cannot add or remove licensing. |
| 15 | SuperUser administrators can perform all configurations on the controller. They are the only ones who can upgrade APs or controllers and they can upgrade FortiWLC (SD) versions using Telnet. The can configure an NMS server, NTP server, system password, date and time (all CLI). They can also create admins and set the authentication mode for a controller (GUI and CLI). Superusers can add and remove licensing. |
Configure TACACS+ Authentication Mode with the CLI
New commands to configure TACACS+ authentication mode for all administrators on a Cisco ACS server were introduced in FortiWLC (SD) 4.1:
- authentication mode global
- primary-tacacs-ip
- primary-tacacs-port
- primary-tacacs-secret
- authentication type tacacs+
- secondary-tacacs-ip
- secondary-tacacs-port
- secondary-tacacs-secret
For command details, see the FortiWLC (SD) Command Reference.
CLI Example for Setting Authentication Mode to TACACS+
ramcntrl(0)# configure terminal ramcntrl(0)(config)# authentication‐mode global ramcntrl(0)(config‐auth‐mode)# authentication‐type tacacs+ ramcntrl(0)(config‐auth‐mode)# primary‐tacacs‐
primary‐tacacs‐ip primary‐tacacs‐port primary‐tacacs‐secret ramcntrl(0)(config‐auth‐mode)# primary‐tacacs‐ip 172.18.1.5 ramcntrl(0)(config‐auth‐mode)# primary‐tacacs‐secret TacacsP ramcntrl(0)(config‐auth‐mode)# secondary‐tacacs‐
secondary‐tacacs‐ip secondary‐tacacs‐port secondary‐tacacs‐secret ramcntrl(0)(config‐auth‐mode)# secondary‐tacacs‐ip 172.18.1.10 ramcntrl(0)(config‐auth‐mode)# secondary‐tacacs‐secret TacacsS ramcntrl(0)(config‐auth‐mode)# exit
TACACS+ Authentication
ramcntrl(0)(config)# exit
ramcntrl(0)# sh authentication‐mode Administrative User Management
AuthenticationType : tacacs+
Primary RADIUS IP Address : 172.18.1.3
Primary RADIUS Port : 1812
Primary RADIUS Secret Key : *****
Secondary RADIUS IP Address : 172.18.1.7
Secondary RADIUS Port : 1812
Secondary RADIUS Secret Key : *****
Primary TACACS+ IP Address : 172.18.1.5
Primary TACACS+ Port : 49
Primary TACACS+ Secret Key : *****
Secondary TACACS+ IP Address : 172.18.1.10
Secondary TACACS+ Port : 49 Secondary TACACS+ Secret Key : ***** ramcntrl(0)#
For command details, see the FortiWLC (SD) Command Reference.
Configure TACACS+ Authentication Mode with the Web UI
To configure TACACS+ authentication on a Cisco ACS server for all admins, follow these steps:
- Click Configuration > User Management.
- Select the Authentication Type Tacacs+ at the top of the screen.
- There are three tabs for admin authentication (see Figure 55), RADIUS, Tacacs+ and Local Admins. Click the Tacacs+ tab.
Figure 55: Setting Authentication for Admins
- Provide the IP address of the primary TACACS+ server.
TACACS+ Authentication
- Provide a primary TACACS+ port number; the default is 49.
- Provide the secret key for TACACS+ server access.
- Optionally repeat steps 4, 5 and 6 for a secondary TACACS+ server.
- Click OK.
- Add administrators on the TACACS+ server using these three levels.
| 1 | Operator is the lowest authentication level and also the default. Operators can see statistics and results but cannot make any configuration changes. |
| 10 | Administrators can also do general configuration changes, but cannot upgrade APs or controllers, nor can they upgrade FortiWLC (SD) versions using Telnet. The cannot configure an NMS server, NTP server, change the system password, date or time (all CLI). They cannot create admins nor can they set the authentication mode for a controller (GUI and CLI). Administrators cannot add or remove licensing. |
| 15 | SuperUser administrators can perform all configurations on the controller. They are the only ones who can upgrade APs or controllers and they can upgrade FortiWLC (SD) versions using Telnet. The can configure an NMS server, NTP server, system password, date and time (all CLI). They can also create admins and set the authentication mode for a controller (GUI and CLI). Superusers can add and remove licensing. |