Authentication Policy and Multi-Factor Authentication
To protect services and applications from attackers, you can use the new Authentication policy to control access for end users. Authentication policy provides the benefit of letting you to choose how many authentication challenges of different types (factors) users must respond to. Using multiple factors of authentication (MFA) is particularly useful for protecting your most sensitive services and applications. For example, you can force users to enter a login password and then enter a verification code that they receive by phone before accessing critical financial documents. To reduce the frequency of MFA challenges that interrupt the user workflow, you can specify an authentication timeout period during which a user responds to the challenges only once for repeated access to services and applications.
The MFA factors that the firewall supports include Push, Short Message Service (SMS), Voice, and One-time password (OTP) authentication. The firewall integrates with MFA vendors through:
- APIs—The supported vendors are Duo v2, Okta Adaptive, and PingID. Palo Alto Networks will periodically add or update support for MFA vendor APIs through Applications content updates.
- RADIUS—The firewall supports all vendors through RADIUS.
- Configure Captive Portal inRedirectmode.The firewall uses the Captive Portal web form to prompt users for the first authentication factor. The firewall also uses Captive Portal to record the timestamps associated with successful authentication events. The firewall uses the timestamps to evaluate the authentication timeout periods that you set in Authentication policy rules (later in this procedure).
- Configure a server profile that defines how the firewall connects to the service that provides the first authentication factor.
- SelectandDeviceServer ProfilesMulti Factor AuthenticationAddan MFA server profile for each authentication factor after the first factor.
- SelectandDeviceAuthentication ProfileAddan authentication profile.The profile specifies the order in which the firewall evokes authentication factors.
- First factor—Select theTypeand select theServer Profileyou configured.
- Additional factors—SelectFactors,Enable Additional Authentication Factors, andAddthe MFA server profiles you configured.
- SelectandObjectsAuthenticationAddan authentication enforcement object to associate the authentication profile with a Captive Portal method for authenticating users and for recording authentication timestamps.
- SelectandPoliciesAuthenticationAddan Authentication policy rule.
- For the Destination Address, you can specify the IP addresses of the services and applications (such as servers) that require authentication for users to access them.
- For theActions, select theAuthentication Enforcementobject you configured and specify theTimeoutperiod in minutes (default 60) during which the firewall prompts the user to authenticate only once for repeated access to services and applications. The firewall evaluates theTimeoutbased on the timestamps it recorded for authentication events.
- Customize the MFA login page that the firewall displays to tell users how to respond to MFA challenges—Select, selectDeviceResponse PagesMFA Login Page,ExportthePredefinedresponse page to your client system, and use an HTML editor to customize the page. When you finish customizing the page, save it with a unique name andImportit back onto the firewall.
- Configure a Security policy that allows users to access the services and applications that require authentication, and thenCommityour changes.
- Verify that the firewall enforces MFA by logging in to your network as one of the users specified in the Authentication rule and requesting a service or application specified in the rule.The firewall displays the Captive Portal web form for the first authentication factor.After you enter your login credentials, the firewall displays an MFA login page for the next authentication factor.After you respond to all the authentication factors, the firewall evaluates Security policy and provides access to the service or application.The automated correlation engine on the firewall uses several new correlation objects to detect events on your network that could indicate credential abuse relating to MFA. To review the events, select.MonitorAutomated Correlation EngineCorrelated Events
Recommended For You
Recommended videos not found.