Objects > Authentication
An authentication enforcement object specifies the method
and service to use for authenticating end users who access your
network resources. You assign the object to Authentication policy
rules, which invoke the authentication method and service when traffic
matches a rule (see Policies > Authentication).
The firewall has the following predefined, read-only authentication
enforcement objects:
- default-browser-challenge—The firewall transparently obtains user authentication credentials. If you select this action, you must enable Kerberos Single Sign-On (SSO) or NT LAN Manager (NTLM) authentication when you configure Authentication Portal
. If Kerberos SSO
authentication fails, the firewall falls back to NTLM authentication.
If you did not configure NTLM, or NTLM authentication fails, the
firewall falls back to the authentication method specified in the
predefined default-web-formobject. - default-web-form—To authenticate users, the firewall uses the certificate profile or authentication profile you specified when configuring Authentication Portal
. If you specified an
authentication profile, the firewall ignores any Kerberos SSO settings
in the profile and presents an Authentication Portal page for the
user to enter authentication credentials.
- default-no-captive-portal—The firewall evaluates Security policy without authenticating users.
Before creating a custom authentication enforcement object:
- Configure a server profile that specifies how to connect to the authentication service (see Device > Server Profiles).
- Assign the server profile to an authentication profile that specifies authentication settings such as Kerberos single sign-on parameters (see Device > Authentication Profile).
To create a custom authentication enforcement object, click
Add
and
complete the following fields:Authentication Enforcement Settings | Description |
|---|---|
Name | Enter a descriptive name (up to 31 characters)
to help you identify the object when defining Authentication rules.
The name is case-sensitive and must be unique. Use only letters,
numbers, spaces, hyphens, and underscores. |
Shared ( Panorama only ) | Select this option if you want the object
to be available to:
|
Disable override ( Panorama only ) | Select this option to prevent administrators
from overriding the settings of this authentication enforcement
object in device groups that inherit the object. This selection
is cleared by default, which means administrators can override the
settings for any device group that inherits the object. |
Authentication Method | Select a method:
|
Authentication Profile | Select the authentication profile that specifies
the service to use for validating the identities of users. |
Message | Enter instructions that tell users how to
respond to the first authentication challenge that they see when
their traffic triggers the Authentication rule. The message displays
in the Authentication Portal Comfort Page .
If you don’t enter a message, the default Authentication
Portal Comfort Page displays (see Device > Response
Pages).The firewall displays the Authentication
Portal Comfort Page only for the first authentication challenge
(factor), which you define in the Authentication tab
of the Authentication Profile (see Device > Authentication
Profile). For multi-factor authentication (MFA) challenges
that you define in the Factors tab of the
profile, the firewall displays the MFA Login Page . |
