FortiWLC – TACACS+ Authentication

TACACS+ Authentication

Terminal Access Controller Access-Control System Plus (TACACS+) is a remote authentication protocol that runs on a TACACS+ server on the network and is similar to RADIUS authentication. There are some differences between the two, however. RADIUS combines authentication and authorization in one user profile, while TACACS+ separates the two operations. Another difference is that TACACS+ uses TCP port 49 while RADIUS uses UDP port 1812. FortiWLC (SD) supports TACACS+ authentication but not accounting; FortiWLC (SD) supports both RADIUS authentication and accounting. Only the Cisco ACS server is supported for Tacacs+ authentication.

The TACACS+ level required, 15 (superuser), 10 – 14 (admin), and 1 – 9 (user), for the activity on the current GUI window is listed in the Help. Click Help on any GUI window of FortiWLC (SD). In the CLI, all command lists also include the required authentication level, which is also now used for both RADIUS and local admin authentication in Release 5.1. TACACS+ actually provides eight levels, but Fortinet only uses the three authentication levels described here. The three levels used are described below:

1 Operator is the lowest authentication level and also the default. Operators can see statistics and results but cannot make any configuration changes.

TACACS+ Authentication

10 Administrators can also do general configuration changes, but cannot upgrade APs or controllers, nor can they upgrade FortiWLC (SD) versions using Telnet. The cannot configure an NMS server, NTP server, change the system password, date or time (all CLI). They cannot create admin accounts nor can they set the authentication mode for a controller (GUI and CLI). Administrators cannot add or remove licensing.
15 SuperUser administrators can perform all configurations on the controller. They are the only ones who can upgrade APs or controllers and they can upgrade FortiWLC (SD) versions using Telnet. The can configure an NMS server, NTP server, system password, date and time (all CLI). They can also create admins and set the authentication mode for a controller (GUI and CLI). Superusers can add and remove licensing.
Configure TACACS+ Authentication Mode with the CLI

New commands to configure TACACS+ authentication mode for all administrators on a Cisco ACS server were introduced in FortiWLC (SD) 4.1:

  • authentication mode global
  • primary-tacacs-ip
  • primary-tacacs-port
  • primary-tacacs-secret
  • authentication type tacacs+
  • secondary-tacacs-ip
  • secondary-tacacs-port
  • secondary-tacacs-secret

For command details, see the FortiWLC (SD) Command Reference.

CLI Example for Setting Authentication Mode to TACACS+

ramcntrl(0)# configure terminal ramcntrl(0)(config)# authentication‐mode global ramcntrl(0)(config‐auth‐mode)# authentication‐type tacacs+ ramcntrl(0)(config‐auth‐mode)# primary‐tacacs‐

primary‐tacacs‐ip      primary‐tacacs‐port    primary‐tacacs‐secret  ramcntrl(0)(config‐auth‐mode)# primary‐tacacs‐ip 172.18.1.5 ramcntrl(0)(config‐auth‐mode)# primary‐tacacs‐secret TacacsP ramcntrl(0)(config‐auth‐mode)# secondary‐tacacs‐

secondary‐tacacs‐ip      secondary‐tacacs‐port    secondary‐tacacs‐secret  ramcntrl(0)(config‐auth‐mode)# secondary‐tacacs‐ip 172.18.1.10 ramcntrl(0)(config‐auth‐mode)# secondary‐tacacs‐secret TacacsS ramcntrl(0)(config‐auth‐mode)# exit

TACACS+ Authentication

ramcntrl(0)(config)# exit

ramcntrl(0)# sh authentication‐mode Administrative User Management

AuthenticationType           : tacacs+

Primary RADIUS IP Address    : 172.18.1.3

Primary RADIUS Port          : 1812

Primary RADIUS Secret Key    : *****

Secondary RADIUS IP Address  : 172.18.1.7

Secondary RADIUS Port        : 1812

Secondary RADIUS Secret Key  : *****

Primary TACACS+ IP Address   : 172.18.1.5

Primary TACACS+ Port         : 49

Primary TACACS+ Secret Key   : *****

Secondary TACACS+ IP Address : 172.18.1.10

Secondary TACACS+ Port       : 49 Secondary TACACS+ Secret Key : ***** ramcntrl(0)#

For command details, see the FortiWLC (SD) Command Reference.

Configure TACACS+ Authentication Mode with the Web UI

To configure TACACS+ authentication on a Cisco ACS server for all admins, follow these steps:

  1. Click Configuration > User Management.
  2. Select the Authentication Type Tacacs+ at the top of the screen.
  3. There are three tabs for admin authentication (see Figure 55), RADIUS, Tacacs+ and Local Admins. Click the Tacacs+ tab.

Figure 55: Setting Authentication for Admins

  1. Provide the IP address of the primary TACACS+ server.

TACACS+ Authentication

  1. Provide a primary TACACS+ port number; the default is 49.
  2. Provide the secret key for TACACS+ server access.
  3. Optionally repeat steps 4, 5 and 6 for a secondary TACACS+ server.
  4. Click OK.
  5. Add administrators on the TACACS+ server using these three levels.
1 Operator is the lowest  authentication level and also the default. Operators can see statistics and results but cannot make any configuration changes.
10 Administrators can also do general configuration changes, but cannot upgrade APs or controllers, nor can they upgrade FortiWLC (SD) versions using Telnet. The cannot configure an NMS server, NTP server, change the system password, date or time (all CLI). They cannot create admins nor can they set the authentication mode for a controller (GUI and CLI). Administrators cannot add or remove licensing.
15 SuperUser administrators can perform all configurations on the controller. They are the only ones who can upgrade APs or controllers and they can upgrade FortiWLC (SD) versions using Telnet. The can configure an NMS server, NTP server, system password, date and time (all CLI). They can also create admins and set the authentication mode for a controller (GUI and CLI). Superusers can add and remove licensing.
This entry was posted in Administration Guides, FortiWLC on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.