Authentication policy enables you to authenticate end
users before they can access services and applications. Whenever
a user requests a service or application (such as by visiting a
web page), the firewall evaluates Authentication policy. Based on
the matching Authentication policy rule, the firewall then prompts
the user to authenticate using one or more methods (factors), such
as login and password, Voice, SMS, Push, or One-time Password (OTP)authentication.
For the first factor, users authenticate through a Captive Portal
web form. For any additional factors, users authenticate through
Authentication (MFA) login page.
After the user authenticates for all factors, the firewall evaluates Security
Policy to determine whether to allow access to the service
To reduce the frequency of authentication challenges that interrupt
the user workflow, you can specify a timeout period during which
a user authenticates only for initial access to services and applications, not
for subsequent access. Authentication policy integrates with Captive
Portal to record the timestamps used to evaluate the timeout and
to enable user-based policies and reports.
Based on user information that the firewall collects during authentication,
User-ID creates a new IP address-to-username mapping or updates
the existing mapping for that user (if the mapping information has
changed). The firewall generates User-ID logs to record the additions
and updates. The firewall also generates an Authentication log for
each request that matches an Authentication rule. If you favor centralized
monitoring, you can configure reports based on User-ID or Authentication
logs and forward the logs to Panorama or external services as you
would for any other log types.