Configure an Authentication Profile and Sequence
An authentication profile defines the authentication service that validates the login credentials of firewall or Panorama administrators and Captive Portal or GlobalProtect end users. The authentication service can be a local database (firewalls only), an external service (RADIUS, TACACS+, LDAP, or Kerberos server), or Kerberos single sign-on (SSO).
Some networks have multiple databases for different users and user groups (for example, TACACS+ and LDAP). To authenticate users in such cases, configure an authentication sequence, which is a ranked order of authentication profiles that the firewall or Panorama matches a user against during login. The firewall or Panorama checks against each profile in sequence until one successfully authenticates the user. A user is denied access only if authentication fails for all the profiles in the authentication sequence.
- Create a Kerberos keytab.Required if the firewall or Panorama will use Kerberos SSO authentication.Create a Kerberos keytab. A keytab is a file that contains Kerberos account information (principal name and hashed password) for the firewall or Panorama.
- Configure a local database (firewall only) or external server profile (firewall or Panorama).Required for local database or external authentication.
- Local database authentication—Perform the following tasks:
- Configure an authentication profile.Define one or both of the following:
- Kerberos SSO—The firewall or Panorama first tries SSO authentication. If that fails, it falls back to the specified authenticationType.
- Local database or external authentication—The firewall or Panorama prompts the user to enter login credentials, and uses its local database (firewalls only) or an external service to authenticate the user.
- SelectandDeviceAuthentication ProfileAddthe authentication profile.
- Enter aNameto identify the authentication profile.
- If the firewall has more than one virtual system (vsys), select aLocation(a vsys orShared) where the profile is available.
- Select the authenticationType. If you selectRADIUS,TACACS+,LDAP, orKerberos, select the authenticationServer Profilefrom the drop-down.If theTypeisLDAP, define theLogin Attribute. For Active Directory, entersAMAccountNameas the value.
- (Optional) Select theUser DomainandUsername Modifieroptions as follows to modify the domain/username string that the user will enter during login. This is useful when the authentication service requires the string in a particular format and you don’t want to rely on users to correctly enter the domain.
- To send only the unmodified user input, leave theUser Domainblank (the default) and set theUsername Modifierto the variable%USERINPUT%(the default).
- To prepend a domain to the user input, enter aUser Domainand set theUsername Modifierto%USERDOMAIN%\%USERINPUT%.
- To append a domain to the user input, enter aUser Domainand set theUsername Modifierto%USERINPUT%@%USERDOMAIN%.
- If you want to enable Kerberos SSO, enter theKerberos Realm(usually the DNS domain of the users, except that the realm is UPPERCASE) andImporttheKerberos Keytabthat you created for the firewall or Panorama.
- SelectAdvancedandAddthe users and groups that can authenticate with this profile. You can select users and groups from the local database or, if you configured an LDAP server profile, from an LDAP-based directory service such as Active Directory. Selectingallallows every user to authenticate. By default, the list is empty, meaning no users can authenticate.
- Enter the number ofFailed Attempts(0-10) to log in that the firewall or Panorama allows before locking out the user. The default value 0 means there is no limit.
- Enter theLockout Time(0-60), which is the number of minutes for which the firewall or Panorama locks out the user after reaching theFailed Attemptslimit. The default value 0 means the lockout applies until an administrator unlocks the user account.
- ClickOKto save the authentication profile.
- Configure an authentication sequence.Required if you want the firewall or Panorama to try multiple authentication profiles to authenticate users. The firewall or Panorama evaluates the profiles in top-to-bottom order until one profile successfully authenticates the user.
- SelectandDeviceAuthentication SequenceAddthe authentication sequence.
- Enter aNameto identify the authentication sequence.
- If the firewall has more than one virtual system (vsys), select aLocation(a vsys orShared) where the sequence is available.To expedite the authentication process, the best practice is toUse domain to determine authentication profile: the firewall or Panorama will match the domain name that a user enters during login with theUser DomainorKerberos Realmof an authentication profile in the sequence, and then use that profile to authenticate the user. If the firewall or Panorama doesn’t find a match, or if you clear the check box, it tries the profiles in the top-to-bottom sequence.
- Addeach authentication profile. To change the evaluation order of the profiles, select a profile andMove UporMove Down.
- ClickOKto save the authentication sequence.
- Assign the authentication profile or sequence.
Recommended For You
Recommended videos not found.