Configure LDAP Authentication
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Configure LDAP Authentication
You can use LDAP to
authenticate end users who access applications or services through
Authentication Portal and authenticate firewall or Panorama administrators
who access the web interface.
You can also
connect to an LDAP server to define policy rules based on user groups.
For details, see Map
Users to Groups.
- Add an LDAP server profile.The profile defines how the firewall connects to the LDAP server.
- Select DeviceServer ProfilesLDAP or PanoramaServer ProfilesLDAP on Panorama™ and Add a server profile.Enter a Profile Name to identify the server profile.(Multi-vsys only) Select the Location in which the profile is available.(Optional) Select Administrator Use Only to restrict access to administrators.Add the LDAP servers (up to four). For each server, enter a Name (to identify the server), LDAP Server IP address or FQDN, and server Port (default 389).If you use an FQDN address object to identify the server and you subsequently change the address, you must commit the change for the new server address to take effect.Select the server Type.Select the Base DN.To identify the Base DN of your directory, open the Active Directory Domains and Trusts Microsoft Management Console snap-in and use the name of the top-level domain.Enter the Bind DN and Password to enable the authentication service to authenticate the firewall.The Bind DN account must have permission to read the LDAP directory.Enter the Bind Timeout and Search Timeout in seconds (default is 30 for both).Enter the Retry Interval in seconds (default is 60).Enable the option to Require SSL/TLS secured connection (enabled by default). The protocol that the endpoint uses depends on the server port:
- 389 (default)—TLS (Specifically, the device uses the StartTLS operation, which upgrades the initial plaintext connection to TLS.)
- 636—SSL
- Any other port—The device first attempts to use TLS. If the directory server doesn’t support TLS, the device falls back to SSL.
(Optional) For additional security, enable to the option to Verify Server Certificate for SSL sessions so that the endpoint verifies the certificate that the directory server presents for SSL/TLS connections. To enable verification, you must also enable the option to Require SSL/TLS secured connection. For verification to succeed, the certificate must meet one of the following conditions:- It is in the list of device certificates: DeviceCertificate ManagementCertificates, then Device Certificates. If necessary, import the certificate into the device.
- The certificate signer is in the list of trusted certificate authorities: DeviceCertificate ManagementCertificatesDefault Trusted Certificate Authorities.
Click OK to save the server profile.Assign the server profile to Configure an Authentication Profile and Sequence to define various authentication settings.Assign the authentication profile to the firewall application that requires authentication.- Administrative access to the web interface—Configure a Firewall Administrator Account and assign the authentication profile you configured.
- End user access to services and applications—For the full procedure to configure authentication for end users, see Configure Authentication Policy.
Verify that the firewall can Test Authentication Server Connectivity to authenticate users.