1. Home
    2. PAN-OS
    3. PAN-OS® Administrator’s Guide
    4. Authentication
    5. Configure an Authentication Profile and Sequence
    Previous
    Next
    An authentication profile defines the authentication service that validates the login credentials of firewall or Panorama administrators and Captive Portal or GlobalProtect end users. The authentication service can be a local database (firewalls only), an external service (RADIUS, TACACS+, LDAP, or Kerberos server), or Kerberos single sign-on (SSO).
    Some networks have multiple databases for different users and user groups (for example, TACACS+ and LDAP). To authenticate users in such cases, configure an authentication sequence, which is a ranked order of authentication profiles that the firewall or Panorama matches a user against during login. The firewall or Panorama checks against each profile in sequence until one successfully authenticates the user (the firewall always checks the local database first if the sequence includes one). A user is denied access only if authentication fails for all the profiles in the authentication sequence.
    Configure an Authentication Profile and Sequence
    Create a Kerberos keytab. Required if the firewall or Panorama will use Kerberos SSO authentication. Create a Kerberos keytab. A keytab is a file that contains Kerberos account information (principal name and hashed password) for the firewall or Panorama.
    Configure a local database (firewall only) or external server profile (firewall or Panorama). Required for local database or external authentication. Local database authentication—Perform the following tasks: Configure the user account. ( Optional ) Configure a user group. External authentication—Perform one of the following tasks: Configure a RADIUS Server Profile. Configure a TACACS+ Server Profile. Configure an LDAP Server Profile. Configure a Kerberos Server Profile.
    Configure an authentication profile. Define one or both of the following: Kerberos SSO—The firewall or Panorama first tries SSO authentication. If that fails, it falls back to the specified authentication Type. Local database or external authentication—The firewall or Panorama prompts the user to enter login credentials, and uses its local database (firewalls only) or an external service to authenticate the user. Select Device > Authentication Profile and Add the authentication profile. Enter a Name to identify the authentication profile. If the firewall has more than one virtual system (vsys), select a Location (a vsys or Shared) where the profile is available. Select the authentication Type. If you select RADIUS, TACACS+, LDAP, or Kerberos, select the authentication Server Profile from the drop-down. If the Type is LDAP, define the Login Attribute. For Active Directory, enter sAMAccountName as the value. ( Optional ) Select the User Domain and Username Modifier options as follows to modify the domain/username string that the user will enter during login. This is useful when the authentication service requires the string in a particular format and you don’t want to rely on users to correctly enter the domain. To send only the unmodified user input, leave the User Domain blank (the default) and set the Username Modifier to the variable %USERINPUT% (the default). To prepend a domain to the user input, enter a User Domain and set the Username Modifier to %USERDOMAIN%\%USERINPUT%. To append a domain to the user input, enter a User Domain and set the Username Modifier to %USERINPUT%@%USERDOMAIN%. If you want to enable Kerberos SSO, enter the Kerberos Realm (usually the DNS domain of the users, except that the realm is UPPERCASE) and Import the Kerberos Keytab that you created for the firewall or Panorama. Select Advanced and Add the users and groups that can authenticate with this profile. You can select users and groups from the local database or, if you configured an LDAP server profile, from an LDAP-based directory service such as Active Directory. Selecting all allows every user to authenticate. By default, the list is empty, meaning no users can authenticate. You can also create and allow custom groups based on LDAP filters: see Map Users to Groups. Enter the number of Failed Attempts (0-10) to log in that the firewall or Panorama allows before locking out the user. The default value 0 means there is no limit. Enter the Lockout Time (0-60), which is the number of minutes for which the firewall or Panorama locks out the user after reaching the Failed Attempts limit. The default value 0 means the lockout applies until an administrator unlocks the user account. Click OK to save the authentication profile.
    Configure an authentication sequence. Required if you want the firewall or Panorama to try multiple authentication profiles to authenticate users. The firewall or Panorama evaluates the profiles in top-to-bottom order until one profile successfully authenticates the user. Select Device > Authentication Sequence and Add the authentication sequence. Enter a Name to identify the authentication sequence. If the firewall has more than one virtual system (vsys), select a Location (a vsys or Shared) where the sequence is available. To expedite the authentication process, the best practice is to Use domain to determine authentication profile: the firewall or Panorama will match the domain name that a user enters during login with the User Domain or Kerberos Realm of an authentication profile in the sequence, and then use that profile to authenticate the user. If the firewall or Panorama doesn’t find a match, or if you clear the check box, it tries the profiles in the top-to-bottom sequence. Add each authentication profile. To change the evaluation order of the profiles, select a profile and Move Up or Move Down. Click OK to save the authentication sequence.
    Assign the authentication profile or sequence. Assign the authentication profile or sequence to an administrator account or to a firewall service for end users. Test Authentication Server Connectivity to verify that an authentication profile can communicate with the back-end authentication server and that the authentication request succeeded.
    Previous
    Next

    Related Documentation

    Device > Authentication Profile

    Device > Authentication Profile Device > Authentication Profile Panorama > Authentication Profile Select Device > Authentication Profile or Panorama > Authentication Profile to configure authentication ...

    Device > Authentication Sequence

    Device > Authentication Sequence Device > Authentication Sequence Panorama > Authentication Sequence In some environments, user accounts reside in multiple directories (for example, local database, ...

    Configure an Administrator with Kerberos SSO, External, or Local Authentication

    Configure an Administrator with Kerberos SSO, External, or Local Authentication When you configure Administrative Authentication for an administrator account, you can combine Kerberos single sign-on ...

    Test the Authentication Configuration

    Test the Authentication Configuration Use the test authentication command to determine if your firewall or Panorama management server can communicate with a back-end authentication server ...

    Set Up External Authentication

    Set Up External Authentication The following workflow describes how to set up the GlobalProtect portal and gateways to use an external authentication service. The supported ...

    Role-Based Access Control

    Role-Based Access Control Role-based access control (RBAC) enables you to define the privileges and responsibilities of administrative users (administrators). Every administrator must have a user ...

    Kerberos for Internal Gateway for Windows

    Kerberos for Internal Gateway for Windows GlobalProtect clients running on Windows 7, 8, or 10 now support Kerberos V5 single sign-on (SSO) for GlobalProtect portal ...

    Device > Server Profiles > Kerberos

    Device > Server Profiles > Kerberos Device > Server Profiles > Kerberos Panorama > Server Profiles > Kerberos Select Device > Server Profiles > Kerberos ...

    Panorama > Administrators

    Panorama > Administrators Panorama administrative accounts define administrator role and authentication parameters . To unlock a locked account, click the lock in the Locked User ...

    Configure an Administrative Account

    Configure an Administrative Account Administrative accounts specify Administrative Roles , Administrative Authentication methods, and Access Domains for Panorama administrators. You can’t add an administrator account ...

    © 2019 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo