Configure LDAP Authentication

You can use LDAP to authenticate end users who access applications or services through Authentication Portal and authenticate firewall or Panorama administrators who access the web interface.
You can also connect to an LDAP server to define policy rules based on user groups. For details, see Map Users to Groups.
  1. Add an LDAP server profile.
    The profile defines how the firewall connects to the LDAP server.
    1. Select
      Server Profiles
      Server Profiles
      on Panorama™ and
      a server profile.
    2. Enter a
      Profile Name
      to identify the server profile.
    3. (
      Multi-vsys only
      ) Select the
      in which the profile is available.
    4. (
      ) Select
      Administrator Use Only
      to restrict access to administrators.
    5. Add
      the LDAP servers (up to four). For each server, enter a
      (to identify the server),
      LDAP Server
      IP address or FQDN, and server
      (default 389).
      If you use an FQDN address object to identify the server and you subsequently change the address, you must commit the change for the new server address to take effect.
    6. Select the server
    7. Select the
      Base DN
      To identify the Base DN of your directory, open the
      Active Directory Domains and Trusts
      Microsoft Management Console snap-in and use the name of the top-level domain.
    8. Enter the
      Bind DN
      to enable the authentication service to authenticate the firewall.
      The Bind DN account must have permission to read the LDAP directory.
    9. Enter the
      Bind Timeout
      Search Timeout
      in seconds (default is 30 for both).
    10. Enter the
      Retry Interval
      in seconds (default is 60).
    11. Enable the option to
      Require SSL/TLS secured connection
      (enabled by default). The protocol that the endpoint uses depends on the server port:
      • 389 (default)—TLS (Specifically, the device uses the StartTLS operation, which upgrades the initial plaintext connection to TLS.)
      • 636—SSL
      • Any other port—The device first attempts to use TLS. If the directory server doesn’t support TLS, the device falls back to SSL.
    12. (
      ) For additional security, enable to the option to
      Verify Server Certificate for SSL sessions
      so that the endpoint verifies the certificate that the directory server presents for SSL/TLS connections. To enable verification, you must also enable the option to
      Require SSL/TLS secured connection
      . For verification to succeed, the certificate must meet one of the following conditions:
      • It is in the list of device certificates:
        Certificate Management
        Device Certificates.
        If necessary, import the certificate into the device.
      • The certificate signer is in the list of trusted certificate authorities:
        Certificate Management
        Default Trusted Certificate Authorities
    13. Click
      to save the server profile.
  2. Assign the server profile to Configure an Authentication Profile and Sequence to define various authentication settings.
  3. Assign the authentication profile to the firewall application that requires authentication.
  4. Verify that the firewall can Test Authentication Server Connectivity to authenticate users.

Recommended For You