Configure LDAP Authentication
You can use LDAP to authenticate end users who access applications or services through Captive Portal and authenticate firewall or Panorama administrators who access the web interface.
- Add an LDAP server profile.The profile defines how the firewall connects to the LDAP server.
- SelectorDeviceServer ProfilesLDAPon Panorama™ andPanoramaServer ProfilesLDAPAdda server profile.
- Enter aProfile Nameto identify the server profile.
- (Multi-vsys only) Select theLocationin which the profile is available.
- (Optional) SelectAdministrator Use Onlyto restrict access to administrators.
- Addthe LDAP servers (up to four). For each server, enter aName(to identify the server),LDAP ServerIP address or FQDN, and serverPort(default 389).If you use an FQDN address object to identify the server and you subsequently change the address, you must commit the change for the new server address to take effect.
- Select the serverType.
- Select theBase DN.To identify the Base DN of your directory, open theActive Directory Domains and TrustsMicrosoft Management Console snap-in and use the name of the top-level domain.
- Enter theBind DNandPasswordto enable the authentication service to authenticate the firewall.The Bind DN account must have permission to read the LDAP directory.
- Enter theBind TimeoutandSearch Timeoutin seconds (default is 30 for both).
- Enter theRetry Intervalin seconds (default is 60).
- Enable the option toRequire SSL/TLS secured connection(enabled by default). The protocol that the endpoint uses depends on the server port:
- Any other port—The device first attempts to use TLS. If the directory server doesn’t support TLS, the device falls back to SSL.
- (Optional) For additional security, enable to the option toVerify Server Certificate for SSL sessionsso that the endpoint verifies the certificate that the directory server presents for SSL/TLS connections. To enable verification, you must also enable the option toRequire SSL/TLS secured connection. For verification to succeed, the certificate must meet one of the following conditions:
- It is in the list of device certificates:If necessary, import the certificate into the device.DeviceCertificate ManagementCertificatesDevice Certificates.
- The certificate signer is in the list of trusted certificate authorities:.DeviceCertificate ManagementCertificatesDefault Trusted Certificate Authorities
- ClickOKto save the server profile.
- Assign the server profile to Configure an Authentication Profile and Sequence to define various authentication settings.
- Assign the authentication profile to the firewall application that requires authentication.
- Verify that the firewall can Test Authentication Server Connectivity to authenticate users.
Recommended For You
Recommended videos not found.