Description
This article describes how to log in to FortiPAM using remote LDAP users with a token assigned in FortiAuthenticator.
Scope
FortiPAM, FortiAuthenticator.
Solution
- Add the FortiAuthenticator as RADIUS Server in FortiPAM under User Management -> RADIUS Server, select 'Create New', and specify the IP and secret that will be used also on the FortiAuthenticator side.
- Create a User Group, select Type as Remote, and specify a Group Name. This string attribute needs to be matched with the Group created on FortiAuthenticator.
- Create a standard user with the user type 'Remote User' and select 'Remote Group'. The group was created above.
- Specify group permission in the folder, and all users belonging to that group will have access to the secret of that folder.
Configuration that needs to be done on FortiAuthenticator:
It is presumed that FortiAuthenticator is integrated with the LDAP server and assigns a token to a remote LDAP user. Follow below admin guides:
- Create a new RADIUS group on FortiAuthenticator and add remote LDAP users part of this group, specify the RADIUS attribute with the same string value specified on the FortiPAM group.
- Create a RADIUS Policy on FortiAuthenticator for FortiPAM, on RADIUS attribute criteria and authentication type, leave it as default.
Test performed to log in FortiPAM with a user: 'pirlo', debug logs can be verified from FortiAuthenticator https://<fac-ip>/debug and select Radius-Authentication.
Note:
Wildcard remote Users are not supported for security reasons.
