Creating a forward account¶
- Select > .
- Click .
- Define object’s name.
- Select Blocked option to disable account after it’s created.
Select
forwardfrom the Type drop-down list.Select desired session recording option.
all- Fudo PAM saves session metadata (basic session information), records raw network traffic (RAW file) and stores session data in internal file format (FBS). The latter enables session playback using the built-in session player, as well as exporting sessions to a selection of video file formats.raw- Fudo PAM saves session metadata (basic session information) and records raw network traffic (RAW file). The raw data can be downloaded but it cannot be played back in graphical form using the built-in session player (session player only depicts the networks packet exchange between the client and the target host).noraw- Fudo PAM records the session data in a non-raw format that could be played back using the built-in session player.none- Fudo PAM saves only session metadata (basic session information).
In the Notes field, enter a message to User Portal users. If permissions are granted, notes can be also edited.
Note
Account notes can be displayed in the User Portal.
In the Category field select
privilegedornon-privilegedaccount category. The category serves an informational purpose.In the Data retention section, define automatic data removal settings.
- Select Override global retention settings option to set different retention values for connections established using this account.
- Check the Delete session data option to exclude sessions from retention mechanism.
- Next to the Delete session data field, define the number of days after which the session data will moved to external storage device. Default value when the option is checked, is 30 days.
In the Permissions section, add users allowed to manage this object.
In the Server section, assign account to a specific server by selecting it from the Server drop-down list.
From the Replace secret with drop down list in the Credentials, select desired option.
secret from a different account
- From the Account drop-down list, select account object, whose credentials will be used to authenticate user when establishing connection with monitored server.
Note
The list contains only objects to which you have been given access permissions.
key
- Click the i icon and select the key type.
- Click the i icon and browse the file system to find the key definition file.
password
- Provide account password.
- Repeat account password.
Note
Two-fold authentication
With two-fold authentication enabled, user is being prompted twice for login credentials. Once for authenticating against Fudo PAM and once again for accessing target system.
To enable two-fold authentication, select password from the Replace secret with drop-down list and leave the password and login fields empty.
password from external repository
- Select external repository.
Note
Authentication by the server
With the Authentication against server option enabled, Fudo PAM does not verify the correctness of user credentials. Login information is forwarded to the target host, which verifies whether the user is allowed to access it. Verification status is returned to Fudo, which establishes monitored connection. To enable this authentication scenario, select the Authenticate against server option in the Credentials section (available only for SSH servers and RDP hosts with the Enhanced RDP Security (TLS) + NLA security option selected).
Also note that 2FA/MFA authentication won’t work here. If you create a user with OATH+AD authentication the OATH part is bypassed and only the password is used and sent to the server – Fudo won’t ask for the OATH token in this situation. The same goes for Duo, SMS an any other 2FA user authentication scheme that can be configured in Fudo. This restriction is specific only to forward account types.
- Select Forward domain option to have the domain name included in the string identifying the user.
- Click .
Related topics: