End-of-Life (EoL)
Select Device > Authentication Profile or Panorama > Authentication Profile to configure authentication settings that you can apply to administrator accounts, SSL-VPN access, and Captive Portal. The firewall and Panorama support local, RADIUS, TACACS+, LDAP, and Kerberos authentication services.
After you configure an authentication profile, use the test authentication CLI command to determine if your firewall or Panorama management server can communicate with the back-end authentication server and if the authentication request was successful. You can perform authentication tests on the candidate configuration to determine whether the configuration is correct before you commit.
Authentication Profile Setting Description
Name Enter a name to identify the profile. The name is case-sensitive, can have up to 31 characters, and can include only letters, numbers, spaces, hyphens, underscores, and periods. The name must be unique in the current Location (firewall or virtual system) relative to other authentication profiles and to authentication sequences. In a firewall that is in multiple virtual systems mode (multi-vsys mode), if the Location of the authentication profile is a vsys, don’t enter the same name as an authentication sequence in the Shared location. Similarly, if the profile Location is Shared, don’t enter the same name as a sequence in a vsys. While you can commit an authentication profile and sequence with the same names in these cases, reference errors might occur.
Location Select the scope in which the profile is available. In the context of a firewall that has more than one virtual system (vsys), select a vsys or select Shared (all virtual systems). In any other context, you can’t select the Location ; its value is predefined as Shared (for firewalls) or as Panorama. After you save the profile, you can’t change its Location.
Authentication Tab
Type Select the authentication type: None —Do not use any authentication on the firewall. Local Database —Use the authentication database on the firewall. RADIUS —Use a RADIUS server for authentication. TACACS+ —Use a TACACS+ server for authentication. LDAP —Use LDAP for authentication. Kerberos —Use Kerberos for authentication.
Server Profile If the authentication Type is RADIUS, TACACS+, LDAP, or Kerberos, select the authentication server profile from the drop-down. See Device > Server Profiles > RADIUS, Device > Server Profiles > TACACS+, Device > Server Profiles > LDAP, and Device > Server Profiles > Kerberos.
Retrieve User Group If the authentication Type is RADIUS, select RADIUS Vendor-Specific Attributes (VSAs) to define the group that has access to the firewall.
Login Attribute If the authentication Type is LDAP, enter an LDAP directory attribute that uniquely identifies the user and functions as the login ID for that user.
Password Expiry Warning If the authentication Type is LDAP and the authentication profile is for GlobalProtect users, enter the number of days before password expiration to start displaying notification messages to users to alert them that their passwords are expiring in x number of days. By default, notification messages will display seven days before password expiry (range is 1–255). Users will not be able to access the VPN if their passwords expire. Consider configuring the agents to use pre-logon connect method. This will enable users to connect to the domain to change their passwords even after the password has expired. If users allow their passwords to expire, the administrator can assign a temporary LDAP password to enable users to log in to the VPN. In this workflow, we recommend setting the Authentication Modifier in the portal configuration to Cookie authentication for config refresh (otherwise, the temporary password will be used to authenticate to the portal, but the gateway login will fail, preventing VPN access).
User Domain and Username Modifier The firewall combines the User Domain and Username Modifier values to modify the domain/username string that a user enters during login. The firewall uses the modified string for authentication and uses the User Domain value for User-ID group mapping. Select from the following options: To send only the unmodified user input, leave the User Domain blank (the default) and set the Username Modifier to the variable %USERINPUT% (the default). To prepend a domain to the user input, enter a User Domain and set the Username Modifier to %USERDOMAIN%\%USERINPUT%. To append a domain to the user input, enter a User Domain and set the Username Modifier to %USERINPUT%@%USERDOMAIN%. If the Username Modifier includes the %USERDOMAIN% variable, the User Domain value replaces any domain string that the user enters. If you specify the %USERDOMAIN% variable and leave the User Domain blank, the firewall removes any user-entered domain string. The firewall resolves domain names to the appropriate NetBIOS name for User-ID group mapping. This applies to both parent and child domains. User Domain modifiers take precedence over automatically derived NetBIOS names.
Kerberos Realm If your network supports Kerberos single sign-on (SSO), enter the Kerberos Realm (up to 127 characters). This is the hostname portion of the user login name. For example, the user account name user@EXAMPLE.LOCAL has realm EXAMPLE.LOCAL.
Kerberos Keytab If your network supports Kerberos single sign-on (SSO), click Import, click Browse to locate the keytab file, and then click OK. A keytab contains Kerberos account information (principal name and hashed password) for the firewall, which is required for SSO authentication. Each authentication profile can have one keytab. During authentication, the firewall first tries to use the keytab to establish SSO. If it succeeds and the user attempting access is in the Allow List, authentication succeeds immediately. Otherwise, the authentication process falls back to manual (username/password) authentication of the specified Type, which doesn’t have to be Kerberos. For details on creating keytabs, see the PAN-OS 7.1 Administrator’s Guide . If the firewall is in FIPS/CC mode, the algorithm must be aes128-cts-hmac-sha1-96 or aes256-cts-hmac-sha1-96. Otherwise, you can also use des3-cbc-sha1 or arcfour-hmac. The algorithm in the keytab has to match the algorithm in the service ticket that the Ticket Granting Service issues to clients to enable SSO. Otherwise, the SSO process fails. Your Kerberos administrator determines which algorithms the service tickets use.
Advanced Tab
Allow List Click Add and select all or select the specific users and groups that are allowed to authenticate with this profile. If you don’t add entries, no users can authenticate. If you entered a User Domain value, you don’t need to specify domains in the Allow List. For example, if the User Domain is businessinc and you want to add user admin1 to the Allow List, entering admin1 has the same effect as entering businessinc\admin1. You can specify groups that already exist in your directory service or specify custom groups based on LDAP filters. To remove users or user groups, select them and click Delete.
Failed Attempts Enter the number of failed login attempts (1-10) that the firewall allows before locking out the user account. A value of 0 (default) specifies unlimited login attempts. Limiting login attempts can help protect against brute force attacks. If you set the Failed Attempts to a value other than 0 but leave the Lockout Time at 0, the user is locked out after the set number of failed login attempts until another administrator manually unlocks the account.
Lockout Time Enter the number of minutes (0-60) for which the firewall locks out a user account after the user reaches the number of Failed Attempts. A value of 0 (default) means the lockout applies until an administrator manually unlocks the user account. If you set the Lockout Time to a value other than 0 but leave the Failed Attempts at 0, the Lockout Time is ignored and the user is never locked out.

Recommended For You