beautypg.com

Tacacs+ servers – Fortinet FortiGate v3.0 MR7 User Manual

Page 25

background image

Authentication servers

TACACS+ servers

FortiOS v3.0 MR7 User Authentication User Guide
01-30007-0347-20080828

25

TACACS+ servers

In recent years, remote network access has shifted from terminal access to LAN
access. Users are now connecting to their corporate network (using notebooks or
home PCs) with computers that utilize complete network connections. Remote
node technology allows users the same level of access to the corporate network
resources as they would have if they were physically in the office. When users
connect to their corporate network remotely, they do so through a remote access
server. As remote access technology has evolved, the need for network access
security has become increasingly important.

Terminal Access Controller Access-Control System (TACACS+) is a remote
authentication protocol that provides access control for routers, network access
servers, and other networked computing devices via one or more centralized
servers. TACACS+ allows a client to accept a username and password and send
a query to a TACACS+ authentication server. The server host determines whether
to accept or deny the request and sends a response back that allows or denies
network access to the user. The default TCP port for a TACACS+ server is 49.
You can only change the default port of the TACACS+ server using the CLI.

There are several different authentication protocols that TACACS+ can use during
the authentication process:

ASCII

Machine-independent technique that uses representations of English
characters. Requires user to type a user name and password that are sent in
clear text (unencrypted) and matched with an entry in the user database stored
in ASCII format.

PAP (password authentication protocol)

Used to authenticate PPP connections. Transmits passwords and other user
information in clear text.

CHAP (challenge-handshake authentication protocol)

Provides the same functionality as PAP, but is more secure as it does not send
the password and other user information over the network to the security
server.

MS-CHAP (Microsoft challenge-handshake authentication protocol v1)

Microsoft-specific version of CHAP.

The default protocol configuration, Auto, uses PAP, MS-CHAP, and CHAP, in that
order.

Configuring the FortiGate unit to use a TACACS+ authentication server

The maximum number of remote TACACS+ servers that can be configured for
authentication is 10.

To configure the FortiGate unit for TACACS+ authentication - web-based
manager

1

Go to User > Remote > TACACS+ and select Create New.

2

Enter the following information, and select OK.