End-of-Life (EoL)

Configure an Authentication Profile and Sequence

An authentication profile defines the authentication service that validates the login credentials of firewall or Panorama administrators and Captive Portal or GlobalProtect end users. The authentication service can be a local database (firewalls only), an external service (RADIUS, TACACS+, LDAP, or Kerberos server), or Kerberos single sign-on (SSO).
Some networks have multiple databases for different users and user groups (for example, TACACS+ and LDAP). To authenticate users in such cases, configure an authentication sequence, which is a ranked order of authentication profiles that the firewall or Panorama matches a user against during login. The firewall or Panorama checks against each profile in sequence until one successfully authenticates the user. A user is denied access only if authentication fails for all the profiles in the authentication sequence.
  1. Create a Kerberos keytab.
    Required if the firewall or Panorama will use Kerberos SSO authentication.
    Create a Kerberos keytab. A keytab is a file that contains Kerberos account information (principal name and hashed password) for the firewall or Panorama.
  2. Configure a local database (firewall only) or external server profile (firewall or Panorama).
    Required for local database or external authentication.
    • Local database authentication—Perform the following tasks:
  3. Configure an authentication profile.
    Define one or both of the following:
    • Kerberos SSO—The firewall or Panorama first tries SSO authentication. If that fails, it falls back to the specified authentication
      Type
      .
    • Local database or external authentication—The firewall or Panorama prompts the user to enter login credentials, and uses its local database (firewalls only) or an external service to authenticate the user.
    1. Select
      Device
      Authentication Profile
      and
      Add
      the authentication profile.
    2. Enter a
      Name
      to identify the authentication profile.
    3. If the firewall has more than one virtual system (vsys), select a
      Location
      (a vsys or
      Shared
      ) where the profile is available.
    4. Select the authentication
      Type
      . If you select
      RADIUS
      ,
      TACACS+
      ,
      LDAP
      , or
      Kerberos
      , select the authentication
      Server Profile
      from the drop-down.
      If the
      Type
      is
      LDAP
      , define the
      Login Attribute
      . For Active Directory, enter
      sAMAccountName
      as the value.
    5. (
      Optional
      ) Select the
      User Domain
      and
      Username Modifier
      options as follows to modify the domain/username string that the user will enter during login. This is useful when the authentication service requires the string in a particular format and you don’t want to rely on users to correctly enter the domain.
      • To send only the unmodified user input, leave the
        User Domain
        blank (the default) and set the
        Username Modifier
        to the variable
        %USERINPUT%
        (the default).
      • To prepend a domain to the user input, enter a
        User Domain
        and set the
        Username Modifier
        to
        %USERDOMAIN%\%USERINPUT%
        .
      • To append a domain to the user input, enter a
        User Domain
        and set the
        Username Modifier
        to
        %USERINPUT%@%USERDOMAIN%
        .
    6. If you want to enable Kerberos SSO, enter the
      Kerberos Realm
      (usually the DNS domain of the users, except that the realm is UPPERCASE) and
      Import
      the
      Kerberos Keytab
      that you created for the firewall or Panorama.
    7. Select
      Advanced
      and
      Add
      the users and groups that can authenticate with this profile. You can select users and groups from the local database or, if you configured an LDAP server profile, from an LDAP-based directory service such as Active Directory. Selecting
      all
      allows every user to authenticate. By default, the list is empty, meaning no users can authenticate.
      You can also create and allow custom groups based on LDAP filters: see Map Users to Groups.
    8. Enter the number of
      Failed Attempts
      (0-10) to log in that the firewall or Panorama allows before locking out the user. The default value 0 means there is no limit.
    9. Enter the
      Lockout Time
      (0-60), which is the number of minutes for which the firewall or Panorama locks out the user after reaching the
      Failed Attempts
      limit. The default value 0 means the lockout applies until an administrator unlocks the user account.
    10. Click
      OK
      to save the authentication profile.
  4. Configure an authentication sequence.
    Required if you want the firewall or Panorama to try multiple authentication profiles to authenticate users. The firewall or Panorama evaluates the profiles in top-to-bottom order until one profile successfully authenticates the user.
    1. Select
      Device
      Authentication Sequence
      and
      Add
      the authentication sequence.
    2. Enter a
      Name
      to identify the authentication sequence.
    3. If the firewall has more than one virtual system (vsys), select a
      Location
      (a vsys or
      Shared
      ) where the sequence is available.
      To expedite the authentication process, the best practice is to
      Use domain to determine authentication profile
      : the firewall or Panorama will match the domain name that a user enters during login with the
      User Domain
      or
      Kerberos Realm
      of an authentication profile in the sequence, and then use that profile to authenticate the user. If the firewall or Panorama doesn’t find a match, or if you clear the check box, it tries the profiles in the top-to-bottom sequence.
    4. Add
      each authentication profile. To change the evaluation order of the profiles, select a profile and
      Move Up
      or
      Move Down
      .
    5. Click
      OK
      to save the authentication sequence.
  5. Assign the authentication profile or sequence.
    Test Authentication Server Connectivity to verify that an authentication profile can communicate with the back-end authentication server and that the authentication request succeeded.

Recommended For You