FortiSwitch Standalone Mode Administration Guide

Leave a reply

TACACS

This chapter contains information on using TACACS authetication with your FortiSwitch unit.

Administrative Accounts

Administrative, or admin, accounts allow access to various aspects of the FortiSwitch configuration. The level of access is determined by the access profile used in the admin account.

Configuring an Access Profile for Admin Accounts

Using the web-based manager:

  1. Go to System > Admin > Admin Profile and select Create New.
  2. Give the profile an appropriate name.
  3. Set Access Control as desired, choosing between None, Read Only, or Read-Write.
  4. Select OK.

Using the CLI:

config system accprofile edit <name> set admingrp {none | read | read-write} set loggrp {none | read | read-write} set netgrp {none | read | read-write} set routegrp {none | read | read-write} set sysgrp {none | read | read-write}

end

end

Configuring a TACACS Admin Account

Using the web-based manager:

  1. Go to System > Admin > Administrators and select Create New.
  2. Give the administrator account an appropriate name.
  3. Set Type as
  4. Set User Group to a group for remote users.
  5. Enable Wildcard.
  6. Set Admin Profile to use the new profile.
  7. Select OK.

Using the CLI:

config system admin edit tacuser set remote-auth enable set wildcard enable set remote-group <group> set accprofile <profile>

end

end

User Accounts

User accounts can be used to identify a network user and determine what parts of the network the user is allowed to access.

Configuring a User Account

config user tacacs+ edit <tacserver> set authen-type {ascii | auto | chap | ms_chap | pap} set authorization enable set key <authorization_key> set server <server>

end

end

Configuring a User Group

config user group edit <tacgroup> set member <tacserver> config match edit 1 set server-name <server> set group-name <group>

end

end

end

end

Example Configuration

The following is an example configuration of a TACACS user account, with the CLI syntax shown to create it:

TACACS                                                                                                   Managing a FortiSwitch unit with a FortiGate

  1. Configuring a TACACS user account for login authentication: config user tacacs+ edit tacserver set authen-type ascii set authorization enable set key temporary set server tacacs_server

end

  1. Configuring a TACACS user group:

config user group edit tacgroup set member tacserver config match edit 1 set server-name tacserver set group-name tacgroup

end

end

end

end

  1. Configuring a TACACs system admin user account:

config system admin edit tacuser set remote-auth enable set wildcard enable set remote-group tacgroup set accprofile noaccess

end end

Pages: 1 2 3 4 5 6 7
This entry was posted in Administration Guides, FortiSwitch and tagged , , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.