Configure Authentication Policy
Perform the following steps to configure Authentication policy for end users who access services through Captive Portal. Before starting, ensure that your Security Policy allows users to access the services and URL categories that require authentication.
- Configure Captive Portal. If you use Multi-Factor Authentication (MFA) services to authenticate users, you must set the Mode to Redirect.
- Configure the firewall to use one of the following services
to authenticate users.
- External Authentication Services—Configure a server profile to define how the firewall connects to the service.
- Local database authentication—Add each user account to the local user database on the firewall.
- Kerberos single sign-on (SSO)—Create a Kerberos keytab for the firewall. Optionally, you can configure the firewall to use Kerberos SSO as the primary authentication service and, if SSO failures occur, fall back to an external service or local database authentication.
an Authentication Profile and Sequence for each set of users
and Authentication policy rules that require the same authentication services
and settings.Select the Type of authentication service and related settings:
- External service—Select the Type of external server and select the Server Profile you created for it.
- Local database authentication—Set the Type to Local Database. In the Advanced settings, Add the Captive Portal users and user groups you created.
- Kerberos SSO—Specify the Kerberos Realm and Import the Kerberos Keytab.
an authentication enforcement object.The object associates each authentication profile with a Captive Portal method. The method determines whether the first authentication challenge (factor) is transparent or requires a user response.
- Select ObjectsAuthentication and Add an object.
- Enter a Name to identify the object.
- Select an Authentication Method for
the authentication service Type you specified
in the authentication profile:
- browser-challenge—Select this method if you want the client browser to respond to the first authentication factor instead of having the user enter login credentials. For this method, you must have configured Kerberos SSO in the authentication profile or NT LAN Manager (NTLM) authentication in the Captive Portal settings. If the browser challenge fails, the firewall falls back to the web-form method.
- web-form—Select this method if you want the firewall to display a Captive Portal web form for users to enter login credentials.
- Select the Authentication Profile you configured.
- Enter the Message that the Captive Portal web form will display to tell users how to authenticate for the first authentication factor.
- Click OK to save the object.
an Authentication policy rule.Create a rule for each set of users, services, and URL categories that require the same authentication services and settings.
- Select PoliciesAuthentication and Add a rule.
- Enter a Name to identify the rule.
- Select Source and Add specific
zones and IP addresses or select Any zones
or IP addresses.The rule applies only to traffic coming from the specified IP addresses or from interfaces in the specified zones.
- Select User and select or Add the source users and user groups to which the rule applies (default is any).
- Select or Add the Host Information Profiles to which the rule applies (default is any).
- Select Destination and Add specific
zones and IP addresses or select any zones
or IP addresses.The IP addresses can be resources (such as servers) for which you want to control access.
- Select Service/URL Category and select or Add the services and service groups for which the rule controls access (default is service-http).
- Select or Add the URL Categories for which the rule controls access (default is any). For example, you can create a custom URL category that specifies your most sensitive internal sites.
- Select Actions and select the Authentication Enforcement object you created.
- Specify the Timeout period
in minutes (default 60) during which the firewall prompts the user
to authenticate only once for repeated access to services and applications.Timeout is a tradeoff between tighter security (less time between authentication prompts) and the user experience (more time between authentication prompts). More frequent authentication is often the right choice for access to critical systems and sensitive areas such as a data center. Less frequent authentication is often the right choice at the network perimeter and for businesses for which the user experience is key.
- Click OK to save the rule.
- (MFA only) Customize
the MFA login page.The firewall displays this page so that users can authenticate for any additional MFA factors.
- Verify that the firewall enforces Authentication policy.
- Log in to your network as one of the source users specified in an Authentication policy rule.
- Request a service or URL category that matches one
specified in the rule.The firewall displays the Captive Portal web form for the first authentication factor. For example:If you configured the firewall to use one or more MFA services, authenticate for the additional authentication factors.
- End the session for the service or URL you just accessed.
- Start a new session for the same service or application.
Be sure to perform this step within the Timeout period
you configured in the Authentication rule.The firewall allows access without re-authenticating.
- Wait until the Timeout period
expires and request the same service or application.The firewall prompts you to re-authenticate.
- (Optional) Redistribute User Mappings and Authentication Timestamps to other firewalls that enforce Authentication policy to ensure they all apply the timeouts consistently for all users.
Configure Multi-Factor Authentication
Configure Multi-Factor Authentication To use Multi-Factor Authentication (MFA) for protecting sensitive services and applications, you must configure Captive Portal to display a web form for ...
Objects > Authentication
Objects > Authentication An authentication enforcement object specifies the method and service to use for authenticating end users who access your network resources. You assign ...
Configure an Authentication Profile and Sequence
Configure an Authentication Profile and Sequence An authentication profile defines the authentication service that validates the login credentials of administrators who access the firewall web ...
Authentication Authentication is a method for protecting services and applications by verifying the identities of users so that only legitimate users have access. Several firewall ...
Configure Captive Portal
Configure Captive Portal The following procedure shows how to set up Captive Portal authentication by configuring the PAN-OS integrated User-ID agent to redirect web requests ...
Guidelines for Setting Authentication Server Timeouts
Guidelines for Setting Authentication Server Timeouts The following are some guidelines for setting the timeouts for firewall attempts to connect with External Authentication Services . ...
Configure Local or External Authentication for Firewall Adm...
Configure Local or External Authentication for Firewall Administrators You can use Local Authentication and External Authentication Services to authenticate administrators who access the firewall. These ...
Configure Kerberos Server Authentication
Configure Kerberos Server Authentication You can use Kerberos to natively authenticate end users and firewall or Panorama administrators to an Active Directory domain controller or ...
Configure an Authentication Profile
Authentication Profile Device > Authentication Profile Select Device Authentication Profile or Panorama Authentication Profile to manage authentication profiles. To create a new profile, Add one ...