1. Home
    2. PAN-OS
    3. PAN-OS® New Features Guide
    4. Authentication Features
    5. Authentication Policy and Multi-Factor Authentication
    End-of-Life (EoL)

    Authentication Policy and Multi-Factor Authentication

    To protect services and applications from attackers, you can use the new Authentication policy to control access for end users. Authentication policy provides the benefit of letting you to choose how many authentication challenges of different types (factors) users must respond to. Using multiple factors of authentication (MFA) is particularly useful for protecting your most sensitive services and applications. For example, you can force users to enter a login password and then enter a verification code that they receive by phone before accessing critical financial documents. To reduce the frequency of MFA challenges that interrupt the user workflow, you can specify an authentication timeout period during which a user responds to the challenges only once for repeated access to services and applications.
    The MFA factors that the firewall supports include Push, Short Message Service (SMS), Voice, and One-time password (OTP) authentication. The firewall integrates with MFA vendors through:
    • APIs—The supported vendors are Duo v2, Okta Adaptive, and PingID. Palo Alto Networks will periodically add or update support for MFA vendor APIs through Applications content updates.
    • RADIUS—The firewall supports all vendors through RADIUS.
    1. Configure Captive Portal in
      Redirect
       mode.
      The firewall uses the Captive Portal web form to prompt users for the first authentication factor. The firewall also uses Captive Portal to record the timestamps associated with successful authentication events. The firewall uses the timestamps to evaluate the authentication timeout periods that you set in Authentication policy rules (later in this procedure).
    2. Configure a server profile that defines how the firewall connects to the service that provides the first authentication factor.
      For example, to add an LDAP server profile, select
      Device
      Server Profiles
      LDAP
       and
      Add
       a profile.
    3. Select
      Device
      Server Profiles
      Multi Factor Authentication
       and
      Add
       an MFA server profile for each authentication factor after the first factor.
    4. Select
      Device
      Authentication Profile
       and
      Add
       an authentication profile.
      The profile specifies the order in which the firewall evokes authentication factors.
      • First factor—Select the
        Type
         and select the
        Server Profile
         you configured.
      • Additional factors—Select
        Factors
        ,
        Enable Additional Authentication Factors
        , and
        Add
         the MFA server profiles you configured.
    5. Select
      Objects
      Authentication
       and
      Add
       an authentication enforcement object to associate the authentication profile with a Captive Portal method for authenticating users and for recording authentication timestamps.
    6. Select
      Policies
      Authentication
       and
      Add
       an Authentication policy rule.
      • For the Destination Address, you can specify the IP addresses of the services and applications (such as servers) that require authentication for users to access them.
      • For the
        Actions
        , select the
        Authentication Enforcement
         object you configured and specify the
        Timeout
         period in minutes (default 60) during which the firewall prompts the user to authenticate only once for repeated access to services and applications. The firewall evaluates the
        Timeout
         based on the timestamps it recorded for authentication events.
    7. Customize the MFA login page that the firewall displays to tell users how to respond to MFA challenges—Select
      Device
      Response Pages
      , select
      MFA Login Page
      ,
      Export
       the
      Predefined
       response page to your client system, and use an HTML editor to customize the page. When you finish customizing the page, save it with a unique name and
      Import
       it back onto the firewall.
    8. Configure a Security policy that allows users to access the services and applications that require authentication, and then
      Commit
       your changes.
    9. Verify that the firewall enforces MFA by logging in to your network as one of the users specified in the Authentication rule and requesting a service or application specified in the rule.
      The firewall displays the Captive Portal web form for the first authentication factor.
      After you enter your login credentials, the firewall displays an MFA login page for the next authentication factor.
      After you respond to all the authentication factors, the firewall evaluates Security policy and provides access to the service or application.
      The automated correlation engine on the firewall uses several new correlation objects to detect events on your network that could indicate credential abuse relating to MFA. To review the events, select
      Monitor
      Automated Correlation Engine
      Correlated Events
      .

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo