End-of-Life (EoL)

Configure Local Database Authentication

You can use a local firewall database instead of an external service to manage user account credentials and authentication. For example, you might create a local database of users and user groups for specialized purposes if you don’t have permission to add them to the directory servers that your organization uses to manage regular accounts and groups. Local database authentication is available for firewall administrators and for Captive Portal and GlobalProtect end users.
If your network supports Kerberos single sign-on (SSO), you can configure local authentication as a fall-back in case SSO fails. For details, see Configure Kerberos SSO and External or Local Authentication for Administrators.
You can also Configure an Administrative Account to use local account management and authentication without a local database, but only for firewall administrators.
  1. Configure the user account.
    1. Select
      Device
      Local User Database
      Users
      and click
      Add
      .
    2. Enter a user
      Name
      for the administrator.
    3. Enter a
      Password
      and
      Confirm Password
      or enter a
      Password Hash
      .
    4. Enable
      the account (enabled by default) and click
      OK
      .
  2. Configure a user group.
    Required if your users require group membership.
    1. Select
      Device
      Local User Database
      User Groups
      and click
      Add
      .
    2. Enter a
      Name
      to identify the group.
    3. Add
      each user who is a member of the group and click
      OK
      .
  3. Set the authentication
    Type
    to
    Local Database
    .
  4. Assign the authentication profile to an administrator account or firewall service.
    • Specify the
      Name
      of a user you defined in Step 1.
    • Assign the
      Authentication Profile
      that you configured for the account.
    • End users—For all services, you must assign the
      Authentication Profile
      that you configured for the accounts:
  5. Verify that the firewall can communicate with the authentication server.

Recommended For You