Configure Local or External Authentication for Firewall Administrators
If you use an external service to manage both authentication and authorization (role and access domain assignments), see:
To authenticate administrators without a challenge-response mechanism, you can Configure Certificate-Based Administrator Authentication to the Web Interface and Configure SSH Key-Based Administrator Authentication to the CLI.
- (External authentication only) Enable the firewall to connect to an external server for authenticating administrators.Configure a server profile:
- If the firewall integrates with a Multi-Factor Authentication (MFA) service through RADIUS, you must add a RADIUS server profile. In this case, the MFA service provides all the authentication factors (challenges). If the firewall integrates with an MFA service through a vendor API, you can still use a RADIUS server profile for the first factor but MFA server profiles are required for additional factors.
- (Local authentication only) Define password complexity and expiration settings.These settings help protect the firewall against unauthorized access by making it harder for attackers to guess passwords.
- Define global password complexity and expiration settings for all local administrators. The settings don’t apply to local database accounts for which you specified a password hash instead of a password (see Local Authentication).
- Selectand edit the Minimum Password Complexity settings.DeviceSetupManagement
- Define the password settings and clickOK.
- Define a Password Profile.You assign the profile to administrator accounts for which you want to override the global password expiration settings. The profiles are available only to accounts that are not associated with a local database (see Local Authentication).
- SelectandDevicePassword ProfilesAdda profile.
- Enter aNameto identify the profile.
- Define the password expiration settings and clickOK.
- Configure an authentication profile.If your administrative accounts are stored across multiple types of servers, you can create an authentication profile for each type and add all the profiles to an authentication sequence.Configure an Authentication Profile and Sequence. In the authentication profile, specify theTypeof authentication service and related settings:
- External service—Select theTypeof external service and select theServer Profileyou created for it.
- Local database authentication—Set theTypetoLocal Database.
- Local authentication without a database—Set theTypetoNone.
- Kerberos SSO—Specify theKerberos RealmandImporttheKerberos Keytab.
- Assign the authentication profile or sequence to an administrator account.
- Assign theAuthentication Profileor sequence that you configured.
- (Local database authentication only) Specify theNameof the user account you added to the local database.
- Commityour changes.
- (Optional) Test Authentication Server Connectivity to verify that the firewall can use the authentication profile to authenticate administrators.