Configuring a TACACS+ server on the FortiGate unit
A maximum of 10 remote TACACS+ servers can be configured for authentication.
One or more servers must be configured on FortiGate before remote users can be configured. To configure remote users, see Local and remote users on page 475.
The TACACS+ page in the web-based manager is not available until a TACACS+ server has been configured in the CLI. For more information see the CLI Reference.
To configure the FortiGate unit for TACACS+ authentication – web-based manager:
1. Go to User & Device > Authentication > TACACS+ Servers and select Create New.
2. Enter the following information, and select OK.
Name Enter the name of the TACACS+ server.
Server Name/IP Enter the server domain name or IP address of the TACACS+ server.
Server Key Enter the key to access the TACACS+ server.
Authentication Type Select the authentication type to use for the TACACS+ server. Auto tries PAP, MSCHAP, and CHAP (in that order).
To configure the FortiGate unit for TACACS+ authentication – CLI:
config user tacacs+
edit tacacs1
set authen-type auto set key abcdef
set port 49
set server 192.168.0.101 end
POP3 servers
FortiOS can authenticate users who have accounts on POP3 or POP3s email servers. POP3 authentication can be configured only in the CLI.
To configure the FortiGate unit for POP3 authentication:
config user pop3
edit pop3_server1
set server pop3.fortinet.com set secure starttls
set port 110 end
To configure a POP3 user group:
config user group edit pop3_grp
set member pop3_server1 end
A user group can list up to six POP3 servers as members.
SSO servers
Novell and Microsoft Windows networks provide user authentication based on directory services: eDirectory for Novell, Active Directory for Windows. Users can log on at any computer in the domain and have access to resources as defined in their user account. The Fortinet Single Sign On (FSSO) agent enables FortiGate units to authenticate these network users for security policy or VPN access without asking them again for their username and password.
When a user logs in to the Windows or Novell domain, the FSSO agent sends to the FortiGate unit the user’s IP address and the names of the user groups to which the user belongs. The FortiGate unit uses this information to maintain a copy of the domain controller user group database. Because the domain controller authenticates users, the FortiGate unit does not perform authentication. It recognizes group members by their IP address.
In the FortiOS FSSO configuration, you specify the server where the FSSO Collector agent is installed. The Collector agent retrieves the names of the Novell or Active Directory user groups from the domain controllers on the domains, and then the FortiGate unit gets them from the Collector agent. You cannot use these groups directly. You must define FSSO type user groups on your FortiGate unit and then add the Novell or Active Directory user groups to them. The FSSO user groups that you created are used in security policies and VPN configurations to provide access to different services and resources.
FortiAuthenticator servers can replace the Collector agent when FSSO is using polling mode. The benefits of this is that FortiAuthenticator is a stand-alone server that has the necessary FSSO software pre-installed. For more information, see the FortiAuthenticator Administration Guide.