Device > Server Profiles > Multi Factor Authentication
Use this page to configure a multi-factor authentication (MFA) server profile that defines how the firewall connects to an MFA server. MFA can protect your most sensitive resources by ensuring that attackers cannot access your network and move laterally through it by compromising a single authentication factor (for example, stealing login credentials). The firewall supports MFA only for end users, not firewall administrators. You can configure an MFA server profile for Duo v2, Okta Adaptive, and PingID MFA. After configuring the server profile, assign it to authentication profiles for the services that require authentication (see Device > Authentication Profile).
The complete procedure to configure MFA requires additional tasks besides creating a server profile.
Authentication sequences do not support authentication profiles that specify MFA server profiles.
If the firewall integrates with your MFA vendor through RADIUS, configure a RADIUS server profile (see Device > Server Profiles > RADIUS). The firewall supports all MFA vendors through RADIUS.
MFA Server Settings
Enter a name to identify the server (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
On a firewall that has more than one virtual system (vsys), select a vsys or the Shared location. After you save the profile, you cannot change its Location.
Select the Certificate Profile that specifies the certificate authority (CA) certificate that the firewall will use to validate the MFA server certificate when setting up a secure connection to the server. For details, see Device > Certificate Management > Certificate Profile.
MFA Vendor / Value
Select an MFA vendor MFA Vendor and enter a Value for each vendor attribute. The attributes vary by vendor. Refer to your vendor documentation for the correct values.
Authentication Policy and Multi-Factor Authentication
Authentication Policy and Multi-Factor Authentication To protect services and applications from attackers, you can use the new Authentication policy to control access for end users. ...
Authentication Timestamps When configuring an Authentication policy rule, you can specify a timeout period during which a user authenticates only for initial access to services ...
Configure MFA Between RSA SecurID and the Firewall
Configure MFA Between RSA SecurID and the Firewall Multi-factor authentication allows you to protect company assets by using multiple factors to verify a user’s identity ...
Configure Multi-Factor Authentication
Configure Multi-Factor Authentication To use Multi-Factor Authentication (MFA) for protecting sensitive services and applications, you must configure Captive Portal to display a web form for ...
Multi-Factor Authentication You can Configure Multi-Factor Authentication (MFA) to ensure that each user authenticates using multiple methods (factors) when accessing highly sensitive services and applications. ...
Configure an Authentication Profile
Authentication Profile Device > Authentication Profile Select Device Authentication Profile or Panorama Authentication Profile to manage authentication profiles. To create a new profile, Add one ...
Authentication Features New Authentication Features Description SAML 2.0 Authentication The firewall and Panorama™ can now function as Security Assertion Markup Language (SAML) 2.0 service providers ...
Configure RADIUS Authentication
Configure RADIUS Authentication You can configure RADIUS authentication for end users and firewall or Panorama administrators. For administrators, you can use RADIUS to manage authorization ...
Device > Server Profiles > RADIUS
Device > Server Profiles > RADIUS Select Device Server Profiles RADIUS or Panorama Server Profiles RADIUS to configure settings for the Remote Authentication Dial-In User ...