Prisma Access
Set Up Authentication
Table of Contents
Set Up Authentication
To set up authentication with
Prisma Access
,To set up authentication with
Prisma Access
,
first add your authentication service(s) to Prisma Access
. Then
specify the traffic for which you want to require authentication.
Build on these settings to add more authentication features, like
MFA, authentication sequences, or enable Prisma Access
to create
and update IP address to username mappings.Here’s how to
get started—all the settings you need to enable authentication with
Prisma Access
are in one place: . If you're using Strata Cloud Manager, go to . Select the configuration
scope.
Prisma Access
- Authentication RulesHere’s where you specify the traffic for which you want to require authenticationPart of setting up an Authentication Rule includes adding an authentication profile to the rule. WhenPrisma Accessdetects traffic that matching an authentication rule, it applies the authentication methods and settings defined in the authentication profile to the matching traffic. The profile is what defines how the users will be required to authenticate.
- Go to andAdd Authentication Rule.If you're using Strata Cloud Manager, go to andAdd Authentication Rule. Select thePrisma Accessconfiguration scope.
- Define the users, services, and URL categories that require authentication.
- Set the rule action toAuthenticateand choose theProfilethat defines the authentication method you want to use for traffic that matches this rule.
- Authentication ProfileAdd your authentication services here, and define authentication settingsConnectPrisma Accessto the services you want to use to authenticate users—SAML, TACACS+, RADIUS, LDAP, or Kerberos—and define authentication settings (for example, set a limit for failed login attempts).If you are using an on-premises authentication service, you must first create a service connection to connect the on-premises authentication service to Prisma Access. Then, return here to set up your authentication profile.Go to and start by setting the profileAuth Type:If you're using Strata Cloud Manager, go to and start by setting the profileAuth Type. Select theconfiguration scope.Prisma Access
You’ll be prompted to add details about the authentication service you chose that will enablePrisma Accessto connect to the service, and read user credentials and role permissions. Additional settings to customize authentication are provided in the profile, and might vary depending on the type of authentication you’re setting up. - MFA ServersSpecify the MFA vendor you’re usingTo use multiple methods to authenticate users to sensitive applications, start by adding the MFA vendors you want to use (Add MFA Server).Prisma Accessprovides a list of MFA vendors for you to choose from.
- Authentication PortalSet up the authentication portal (formerly known asCaptive Portalfor users at remote network sites, and enablePrisma Accessto create IP address to username mappingsFor first-factor authentication (login and password), users at remote network sites must authenticate through the authentication portal. If the authentication succeeds,Prisma Accessdisplays an MFA login page for each additional authentication factor that’s required.Prisma Accessuses the credentials users submit to create and update IP address to username mappings. This means that you’ll always know who at a remote network site is accessing web content and enterprise applications.
- Authentication SequenceRank authentication profiles in the order you wantPrisma Accessto try themSelect andAdd Authentication Sequenceto rank your authentication profiles.Prisma Accesschecks each of them in sequence until one successfully authenticates the user.If you're using Strata Cloud Manager, go to . Select theconfiguration scope.Prisma Access
