Palo Alto Networks firewalls and Panorama can use external
servers for many services that require authentication, including
administrator access to the web interface and end user access to
Captive Portal, GlobalProtect portals and GlobalProtect gateways.
The server protocols that firewalls and Panorama support include
Lightweight Directory Access Protocol (LDAP), Kerberos, Terminal
Access Controller Access-Control System Plus (TACACS+), and Remote
Authentication Dial-In User Service (RADIUS). If you enable both
external authentication and Kerberos single sign-on (SSO), the
firewall or Panorama first tries SSO and, only if that fails, falls
back to the external server for authentication. To configure external
authentication, you create an authentication server profile, assign
it to an authentication profile, and
then enable authentication for an administrator account or firewall/Panorama service
by assigning the authentication profile to it.