Help
FortiPAM
FortiPAM allows you to protect, isolate and secure privileged account credentials, manage and control privileged user access, and monitor and record privileged account activity.
ocara
Staff
Staff

Created on ‎03-19-2025 03:01 AM Edited on ‎07-15-2025 04:32 AM By Community Manager

Article Id 382986

Technical Tip: Guide to configure RADIUS Login to FortiPAM with OTP on Radius-Server

Description

This article describes the steps required to configure RADIUS authentication on FortiPAM for users located on a remote RADIUS server, such as FortiAuthenticator, with OTP management handled by FortiAuthenticator as well.
Scope FortiPAM.
Solution

Prerequisite:

A RADIUS server must be preconfigured. In this scenario, FortiAuthenticator is used. A user named 'pamadmin is also configured on the RADIUS server, with a specified token assigned to the user.

On FortiAuthenticator, a RADIUS client entry is created for FortiPAM, and the corresponding RADIUS policy is preconfigured.

 

Steps to be followed on FortiPAM:

 

  1. Configure RADIUS Server on FortiPAM.

 

1.png

 

Authentication Type can be selected between PAP, CHAP, MSCHAP, and MSCHAPv2.

 

  1. Predefine IP and Secret for Radius-Server.

     

    2.png

     

    FortiPAM provides the option to configure a secondary RADIUS server through the GUI, while a tertiary entry can be configured using the CLI.

     

  2. Proceed with the next steps and test the connection. The status should display as 'Successful'.

     

3.png

 

A user test can be performed from the CLI, similar to the process on a FortiGate firewall.

 

FPAVULTM23000759 $ diagnose test authserver radius FortiAuthenticator pap pamadmin ********

Token Code:******

authenticate 'pamadmin' against 'pap' succeeded, server=primary assigned_rad_session_id=555788133 session_timeout=0 secs idle_timeout=0 secs!

Group membership(s) - pamrad

 

Make sure to configure the Auth-Schema as below:

 

config authentication schema

#(scheme)$ edit fortipam_auth_scheme

#(fortipam_auth_scheme) $ set user-database local-admin-db FortiAuthenticato

 

  1. Configure the user in the user database and map it to the RADIUS server. Navigate to User Management and select Create.

     

    Note: Unlike the FortiGate firewall, FortiPAM does not support wildcard administrator accounts. The account used for RADIUS authentication must have the same username as it is on the RADIUS server.

     4.png

     

  2. Select the role of Administrator user, which can be either the Default Administrator or the Super Administrator.

     

    5.png

     

  3. Select Remote User and then select the RADIUS Server itself, or map a RADIUS User-Group directly to the same RADIUS Server, which should be preconfigured under User Management -> User Groups.

     

    6.png

  4. Ensure that the Username is the same as the name on the RADIUS Server.

     

    7.png

     

Leave all other steps as default without making any changes.

 

Test Login:

 

8.png

 

Go under Monitoring -> User - Monitor.

 

9.png

 

If authentication fails, additional debug logs can be checked from the FortiAuthenticator side at https://<FAC-IP>/debug by selecting RADIUS Authentication.

 

FortiPAM debugs:

 

diagnose debug console timestamp enable

diagnose debug application fnbamd -1

diagnose debug enable

 

Related documents:
Labels:
357
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.