Administration Guide

Introduction
- FortiPAM concepts
- Organization of the guide
- Using the GUI
  - Banner
  - Tables
- Modes of operation
- FortiPAM deployment options
- Feature availability
FortiPAM installation
- Installing FortiClient with the FortiPAM feature
- FortiPAM appliance setup
- FortiPAM with TPM
- Connecting to target remote systems
Licensing
Dashboard
- Adding a custom dashboard
- System information widget
- Licenses widget
- VM license
Folders
- Creating a folder
Secrets
- Secret list
- Secret launchers
  - Creating a launcher
    - Example secret configurations with launchers example
- Secret templates
  - Creating secret templates
- Policies
  - Creating a policy
    - Applying a policy to a folder
- SSH filter profiles
  - Creating an SSH filter
    - Adding SSH filter to secret
    - Example SSH filter profiles example
- Job list
  - Creating a job
Monitoring
- User monitor
- Active sessions
User management
- User definition
  - Creating a user
- User groups
- Role
  - Access control options
- LDAP servers
- SAML Single Sign-On (SSO)
- RADIUS servers
- Schedule
- FortiTokens
Approval request
- My requests
  - Make a request
- Request review
  - Approve a request
- Approval flow
  - Approval profile
    - Enabling approval profiles for a secret
    - Create an approval profile
Password changing
- Character sets
  - Creating a character set
- Password policies
  - Creating a password policy
    - Applying a password policy to a secret template
- Password changers
  - Creating a password changer
    - Automatic password changing
    - Automatic password verification
Authentication
- Addresses
  - Creating an address
  - Creating an address group
- Scheme & Rules
  - Creating an authentication scheme
  - Creating an authentication rule
System
- Firmware
- Settings
- SNMP
- High availability
- Certificates
- ZTNA
- Backup
  - Sending backup file to a server Example
Network
- Interfaces
  - Creating an interface
  - Creating a zone
- DNS settings
- Packet capture
  - Creating a packet capture filter
- Static routes
  - Creating an IPv4 static route
Security profile
- AntiVirus
  - Creating an antivirus profile
    - Enabling antivirus scan in a secret
- Data loss prevention (DLP) protection for secrets
  - Supported file types
Security fabric
- Fabric Connectors
  - FortiAnalyzer logging
Log & report
- Events
- Secret
- ZTNA
- SSH
- Reports
- Log settings
- Email alert settings
  - Email alert when the glass breaking mode is activated example
Troubleshooting
- Troubleshoot using trace files
  - Example troubleshooting example
- FortiPAM HTTP filter
Appendix A: Installation on KVM
Appendix B: Installation on VMware
Appendix C: Installing vTPM package on KVM and adding vTPM to FortiPAM-VM
Appendix D: vTPM for FortiPAM on VMware
Appendix E: Enabling soft RAID on KVM or VMware
Change Log

Home FortiPAM 1.0.0 Administration Guide

1.0.0

RADIUS servers

RADIUS servers can be configured in User Management.

The RADIUS servers store users' information including credentials and some attributes. This information can authenticate FortiPAM remote users and provide groups for authorization.

The Radius servers tab contains the following options:

Create	Select to create a new RADIUS server.
Edit	Select to edit the selected RADIUS server.
Clone	Select to clone the selected RADIUS server.
Delete	Select to delete the selected RADIUS servers.
Search	Enter a search term in the search field, then hit `Enter` to search the RADIUS server list. To narrow down your search, see Column filter.

To create a RADIUS server:

Go to User Management > Radius Servers, and select Create.
The New RADIUS Server wizard opens.

Enter the following information, and click Next after each tab:

Configure Settings

Name

The name of the RADIUS server.

Authentication Type

Select either Default or Specify.

If Specify is selected, from the dropdown, select from the following authentication types:

CHAP: Challenge Handshake Authentication Protocol.
MS-CHAP: Microsoft Challenge Handshake Authentication Protocol.
MS-CHAP-V2: Microsoft Challenge Handshake Authentication Protocol version 2.
PAP: Password Authentication Protocol.

Configure Servers

Primary Server

The access request is always be sent to the primary server first. If the request is denied with an Access-Reject, then the user authentication fails.

IP/Name

The IP address or the FQDN.

Secret

The pre-shared passphrase used to access the RADIUS server.

Secondary Server

If there is no response from the primary server, the access request is sent to the secondary server.

IP/Name

The IP address or the FQDN.

Secret

The pre-shared passphrase used to access the RADIUS server.

Click Test connection to test the connection to the RADIUS server.
If the credentials to the server are valid, it shows Successful.
In the Review tab, verify the information you entered and click Submit to create the RADIUS server.
Use the pen icon to edit tabs.

Alternatively, use the CLI commands to create RADIUS servers.

CLI configuration to set up a RADIUS server example:

config user radius

edit <radius_server_name>

set server <server_ip>

set secret <secret>

end

config authentication scheme

edit "fortipam_auth_scheme"

set method form

set user-database "local-admin-db" <radius_server_name>

end

Setting up RADIUS authentication includes the following steps:

Configure the RADIUS server. Configuring a RADIUS server.
Adding the RADIUS server to a user group. User groups.
Configuring a RADIUS user. Creating a user.

RADIUS servers

RADIUS servers can be configured in User Management.

The RADIUS servers store users' information including credentials and some attributes. This information can authenticate FortiPAM remote users and provide groups for authorization.

The Radius servers tab contains the following options:

Create	Select to create a new RADIUS server.
Edit	Select to edit the selected RADIUS server.
Clone	Select to clone the selected RADIUS server.
Delete	Select to delete the selected RADIUS servers.
Search	Enter a search term in the search field, then hit `Enter` to search the RADIUS server list. To narrow down your search, see Column filter.

To create a RADIUS server:

Go to User Management > Radius Servers, and select Create.
The New RADIUS Server wizard opens.

Enter the following information, and click Next after each tab:

Configure Settings

Name

The name of the RADIUS server.

Authentication Type

Select either Default or Specify.

If Specify is selected, from the dropdown, select from the following authentication types:

CHAP: Challenge Handshake Authentication Protocol.
MS-CHAP: Microsoft Challenge Handshake Authentication Protocol.
MS-CHAP-V2: Microsoft Challenge Handshake Authentication Protocol version 2.
PAP: Password Authentication Protocol.

Configure Servers

Primary Server

The access request is always be sent to the primary server first. If the request is denied with an Access-Reject, then the user authentication fails.

IP/Name

The IP address or the FQDN.

Secret

The pre-shared passphrase used to access the RADIUS server.

Secondary Server

If there is no response from the primary server, the access request is sent to the secondary server.

IP/Name

The IP address or the FQDN.

Secret

The pre-shared passphrase used to access the RADIUS server.

Click Test connection to test the connection to the RADIUS server.
If the credentials to the server are valid, it shows Successful.
In the Review tab, verify the information you entered and click Submit to create the RADIUS server.
Use the pen icon to edit tabs.

Alternatively, use the CLI commands to create RADIUS servers.

CLI configuration to set up a RADIUS server example:

config user radius

edit <radius_server_name>

set server <server_ip>

set secret <secret>

end

config authentication scheme

edit "fortipam_auth_scheme"

set method form

set user-database "local-admin-db" <radius_server_name>

end

Setting up RADIUS authentication includes the following steps:

Configure the RADIUS server. Configuring a RADIUS server.
Adding the RADIUS server to a user group. User groups.
Configuring a RADIUS user. Creating a user.