Next-Generation Firewall
Configure Passwordless Authentication
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
-
-
-
-
-
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
-
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1
Configure Passwordless Authentication
Transparently authenticate users to Kerberos-protected applications by using your
firewall as a delegation agent, eliminating password entry while maintaining strong
security.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
To simplify authentication and reduce user friction, you can enable passwordless
authentication.
Passwordless authentication delegates a ticket on the behalf of the authenticated
user, so that users have to log in to authenticate only once. After successfully
authenticating, they can access any apps managed by the authentication server until
the authentication period expires without having to log in again.
First, create a delegation profile to delegate the ticket on behalf of the
authenticated user. Associate the delegation profile with your authentication server
profile (in this case Kerberos) and configure an authentication object to use the
delegation profile for user authentication.
Next, create a custom URL filter for the URLs of the apps, and then create a
Security policy rule that references the custom URL category. As the final step,
create an HTTP header insertion that references the custom URL category.
Now, users just have to log in once to authenticate, and then they can easily switch
between apps without having to reauthenticate immediately.
Passwordless authentication supports HTTPS traffic only.
- Prepare to deploy passwordless authentication.
- Enable User-ID in the Kerberos traffic zone.Enable the URL filter feature.Enable decryption.Configure the Kerberos server profile.
- Select DeviceServer ProfilesKerberos.Add the Name and IP address of your Kerberos Server.Specify the Port number (typically 88).Click OK.Define the delegation profile.
- Select DeviceDelegation Profile.Add a new delegation profile.Specify a Name for the delegation profile.(Panorama only) Select the virtual system Location for the delegation profile.Specify the Kerberos Realm (for example, example.com).Select the Kerberos Server Profile you created in step 2.Import the Kerberos Keytab.Only include the users who require passwordless authentication in the keytab. Passwordless authentication supports keytabs in the AES 256 format.Click OK.Configure the authentication object.
- Select ObjectsAuthentication.Add a new Authentication Enforcement object and specify a Name.Select constrained-delegation as the Authentication Method.Select the Delegation Profile you created in step 3.Click OK.Define the URL category for the login URLs of the applications that require Kerberos for authentication.
- Select ObjectsCustom ObjectsURL Category.Add a new URL Category and enter a Name.Add the login URLs for the Sites of all the applications that currently require Kerberos authentication for which you want to enable passwordless authentication.Click OK.Create the URL filter profile for the login URLs of the allowed applications that require Kerberos for authentication.
- Select ObjectsSecurity ProfilesURL Filtering.Add a new URL Filtering Profile and enter a Name.Select HTTP Header Insertion then click Add.Add a new header insertion and either Add the Categories of the allowed URLs or enter their Domains.Add a Header with the Name "Authorization" and the Value Negotiate ($apreq)You must enter the header exactly as displayed above.Click OK twice.Enable strip ALPN to disable HTTPS traffic.
- Select ObjectsDecryptionDecryption Profile.Add a Decryption Profile and enter a Name.Select Strip ALPN.Click OK.Configure a Security policy rule and associate it with the URL Filtering profile.
- Select Policies.Add a new Security policy rule.Enter a Name for the rule.Select Actions.Select the URL Filtering profile you created in step 6Click OK.Create a decryption rule to decrypt the necessary traffic.
- Select PoliciesDecryption.Add a rule to decrypt the traffic between the firewall and Kerberos.Configure an authentication policy rule and associate it with the URL category.
- Select PoliciesAuthentication.Add a new Security policy rule.Enter a Name for the rule.For the source zone, source address, and source user, specify the information for the users for whom you want to enable passwordless authentication.For the destination zone and destination address, specify as needed.For the application, specify web-browsing or other relevant applications.