Strata Cloud Manager
Manage: Authentication
Table of Contents
Manage: Authentication
Learn to manage authentication services.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
Each of these licenses include access to Strata Cloud Manager:
→ The features and capabilities available to you in Strata Cloud Manager depend on which license(s) you are
using.
|
To ensure that only legitimate users have access to your most protected resources, Prisma
Access supports several authentication types, including support for SAML, TACACS+,
RADIUS, LDAP, Kerberos, MFA, local database authentication, and SSO.
To set up your authentication policies, go to .
Here are the services Prisma Access integrates with to provide authentication, and
features to consider when you are planning your authentication set up:
Authentication Support
| SAML |
If your users access services and applications that are external
to your network, you can use SAML to integrate Prisma Access
with an identity provider (IdP) that controls access to both
external and internal services and applications. SAML single
sign-on (SSO) enables one login to access multiple applications,
and is helpful in environments where each user accesses many
applications and authenticating for each one would impede user
productivity. In this case, SAML single sign-on (SSO) enables
one login to access multiple applications. Likewise, SAML single
logout (SLO) enables a user to end sessions for multiple
applications by logging out of just one session. SSO works for
mobile users who access applications through the GlobalProtect
app or users at remote networks that access applications through
the Authentication Portal. SLO is available to GlobalProtect app
users.
You can't use SAML authentication profiles in authentication
sequences. |
| TACACS+ |
Terminal Access Controller Access-Control System Plus (TACACS+)
is a family of protocols that enable authentication and
authorization through a centralized server. TACACS+ encrypts
usernames and passwords, making it more secure than RADIUS,
which encrypts only passwords. TACACS+ is also more reliable
because it uses TCP, whereas RADIUS uses UDP.
|
| RADIUS |
Remote Authentication Dial-In User Service (RADIUS) is a broadly
supported networking protocol that provides centralized
authentication and authorization. You can also add a RADIUS
server to Prisma Access to implement multi-factor
authentication.
|
| LDAP |
Lightweight Directory Access Protocol (LDAP) is a standard
protocol for accessing information directories. You can use LDAP
to authenticate users who access applications or services
through Authentication Portal.
|
| Kerberos |
Kerberos is an authentication protocol that enables a secure
exchange of information between parties using unique keys
(called tickets) to identify the parties. With Kerberos, you can
authenticate users who access applications through the
Authentication Portal. With Kerberos SSO enabled, the user needs
to log in only for initial access to your network (such as
logging in to Microsoft Windows). After this initial login, the
user can access any browser-based service in the network without
having to log in again until the SSO session expires.
To use Kerberos, you first need a a Kerberos account for Prisma
Access that will authenticate users. An account is required to
create a Kerberos keytab, which is a file that contains the
principal name and hashed password of the firewall or Panorama.
The SSO process requires the keytab.
Kerberos SSO is available only for services and applications that
are internal to your Kerberos environment. To enable SSO for
external services and applications, use SAML.
|
| Cloud Identity Engine |
The Cloud Identity Engine (CIE) provides both user identification
and user authentication for mobile users in a Prisma
Access—Explicit Proxy deployment. The Cloud Identity Engine
integrates with the Explicit Proxy Authentication Cache Service
(ACS) and uses SAML identity providers (IdPs) to provide
authentication for Explicit Proxy mobile users.
|
| MFA |
Muti-factor authentication (MFA) gives you a way to implement
multiple authentication challenges of different types (these are
called factors) to protect your most sensitive services
and applications. For example, you might want stronger
authentication for key financial documents than for search
engines.
Prisma Access has a built-in list of supported MFA vendors, that
is automatically updated as new vendors are added:
|
| Local Database Authentication |
Create a database that runs locally on Prisma Access and contains
user accounts (usernames and passwords or hashed passwords).
This type of authentication is useful for creating user accounts
that reuse the credentials of existing Unix accounts in cases
where you know only the hashed passwords, not the plaintext
passwords. For accounts that use plaintext passwords, you can
also define password complexity and expiration settings. This
authentication method is available to users who access services
and applications through the Authentication Portal or the
GlobalProtect app.
|
Authentication Feature Highlights
| SSO |
If you’re using SAML or Kerberos, you can implement single
sign-on (SSO), which enables users to authenticate only once for
access to multiple services and applications. SAML and Kerberos
support SSO.
|
| Authentication Portal |
Redirect web requests that match an authentication rule to a
Prisma Access login page where they’re prompted to authenticate.
Prisma Access uses the information the user submits to this
authentication portal to create or update IP address to user
name mappings.
This is especially useful for remote networks, so that you
continue to have monitor and enforce traffic based on a user (or
group). When a user initiates web traffic (HTTP or HTTPS) that
matches an authentication rule, Prisma Access prompts the user
to authenticate through the authentication portal. Prisma Access
creates or updates the IP address to username mapping based on
the information the user submits to the portal. This ensures
that you know exactly who at a remote network site is accessing
your most sensitive applications and data.
|
| Authentication Sequence |
If you use multiple types of authentication for different
purposes, you can set an authentication sequence to rank your
profiles. Prisma Access checks each profile based on your
ranking until one successfully authenticates the user.
|
How Authentication Works
After you’ve added your organization’s authentication services to Prisma Access
(here's how), Prisma Access authenticates users at
multiple points:
- When they connect to Prisma AccessHere's how to define how you’d like mobile users to authenticate to Prisma Access. You don’t need to define authentication settings for users at remote networks to connect to Prisma Access, as the remote network traffic is routed through secure VPN tunnels.
- When user traffic meets your requirements for additional authenticationHere's how to require users to authenticate (using one or multiple methods) to access enterprise applications and protected network resources.
When users generate web traffic that matches your authentication requirements,
Prisma Access checks that the users are legitimate by prompting them to
authenticate using one or more methods (factors), such as login and password,
voice, SMS, push, or one-time password (OTP) authentication—the factors Prisma
Access uses are all based on the authentication service and settings that you
specify in your authentication profiles. For the first factor
(login and password), users authenticate through the authentication portal.
For the other factors, users then authenticate through a multi-factor
authentication login page.
After authenticating users, Prisma Access evaluates your security rules to
determine whether to allow access to the application. Prisma Access logs all
activity where users attempt to access applications, services, or resources that
you’ve designated for secure access.