MFA Vendor Support

Palo Alto Networks® next-generation firewalls and Panorama™ appliances can integrate with multi-factor authentication (MFA) vendors using RADIUS and, in PAN-OS® 8.0 and later releases, using SAML.
Additionally, firewalls running a PAN-OS 8.0 or later release can integrate with specific MFA vendors using the API to enforce MFA through Authentication policy.
Authentication Use Case
RADIUS (any vendor)
TACACS+ (any vendor)
SAML
(any vendor)
MFA Server Profile
Next-Generation Firewall and Panorama Administrator Web Interface
check-mark.png
check-mark.png
check-mark.png
PAN-OS 8.0 & later
Next-Generation Firewall and Panorama Administrator CLI
check-mark.png
check-mark.png
GlobalProtect™ Portal and Gateway Authentication
check-mark.png
check-mark.png
check-mark.png
PAN-OS 8.0 & later
Authentication Policy
(Formerly Captive Portal Policy)
check-mark.png
check-mark.png
check-mark.png
PAN-OS 8.0 & later
check-mark.png
PAN-OS 8.0 & later
Vendor / Min. Content Version
*
  • RSA SecurID Access / 752
  • PingID / 655
  • Okta Adaptive / 655
  • Duo v2 / 655
*
Palo Alto Networks provides support for MFA vendors through Applications content updates, which means that if you use Panorama to push device group configurations to firewalls, you must install the same Applications release version on managed firewalls as you install on Panorama to avoid mismatches in vendor support.

Related Documentation