Set Up External Authentication
Learn how to set up external authentication for the GlobalProtect portal and
gateways, including LDAP, Kerberos, RADIUS, SAML, and TACACS+.
| Where Can I Use This? | What Do I Need? |
|---|
- NGFW (managed by Panorama or Strata Cloud Manager)
- Prisma Access (managed by Panorama or Strata Cloud Manager)
|
- GlobalProtect Gateway license or Prisma Access license with the
Mobile User subscription
|
The following workflows describe how to set up the GlobalProtect
portal and gateways to use an external authentication service. The
supported authentication services include LDAP, Kerberos, RADIUS,
SAML, and TACACS+.
GlobalProtect also supports local authentication. To use
local authentication, create a local user database ()
that contains the users and groups to which you want to allow GlobalProtect
access, and then refer to that database in the authentication profile.
Refer to the sections below for more information:
GlobalProtect does not support 802.1X
authentication. However, you can leverage User-ID to grant users access based on
their Active Directory (AD) group membership. This allows you to build Security
policy rules based on a source user group (such as admins, marketing, or sales) and
the GlobalProtect IP address pool to allow access to specific resources while
blocking unauthorized access.
To accomplish this, enable User-ID on the
inbound zone of your GlobalProtect gateway and configure an LDAP server profile with
a
group mapping profile to retrieve the group information. You can then
use these groups in your Security policy rules to limit access for GlobalProtect
users
.
