Configure an Authentication Profile and Sequence
An authentication profile defines the authentication service that validates the login credentials of administrators who access the firewall web interface and end users who access applications through Captive Portal or GlobalProtect. The service can be Local Authentication that the firewall provides or External Authentication Services. The authentication profile also defines options such as Kerberos single sign-on (SSO).
Some networks have multiple databases (such as TACACS+ and LDAP) for different users and user groups. To authenticate users in such cases, configure an authentication sequence—a ranked order of authentication profiles that the firewall matches a user against during login. The firewall checks against each profile in sequence until one successfully authenticates the user. If the sequence includes an authentication profile that specifies local database authentication, the firewall always checks that profile first regardless of the order in the sequence. A user is denied access only if authentication fails for all the profiles in the sequence. The sequence can specify authentication profiles that are based on any authentication service that the firewall supports excepts Multi-Factor Authentication (MFA) and SAML.
- (External service only) Enable the firewall
to connect to an external server for authenticating users:
- Set up the external server. Refer to your server documentation for instructions.
- Configure a server profile for the type of authentication
service you use.If the firewall integrates with an MFA service through RADIUS, you must add a RADIUS server profile. In this case, the MFA service provides all the authentication factors. If the firewall integrates with an MFA service through a vendor API, you can still use a RADIUS server profile for the first factor but MFA server profiles are required for additional factors.
- (Local database authentication only) Configure
a user database that is local to the firewall.Perform these steps for each user and user group for which you want to configure Local Authentication based on a user identity store that is local to the firewall:
- (Kerberos SSO only) Create a Kerberos keytab for the firewall if Kerberos single sign-on (SSO) is the primary authentication service.
- Configure an
authentication profile.Define one or both of the following:
- Kerberos SSO—The firewall first tries SSO authentication. If that fails, it falls back to the specified authentication Type.
- External authentication or local database authentication—The firewall prompts the user to enter login credentials, and uses an external service or local database to authenticate the user.
- Select DeviceAuthentication Profile and Add the authentication profile.
- Enter a Name to identify the authentication profile.
- Select the Type of authentication
service.If you use Multi-Factor Authentication, the selected type applies only to the first authentication factor. You select services for additional MFA factors in the Factors tab.If you select RADIUS, TACACS+, LDAP, or Kerberos, select the Server Profile.If you select LDAP, select the Server Profile and define the Login Attribute. For Active Directory, enter sAMAccountName as the value.If you select SAML, select the IdP Server Profile.
- If you want to enable Kerberos SSO, enter the Kerberos Realm (usually the DNS domain of the users, except that the realm is UPPERCASE) and Import the Kerberos Keytab that you created for the firewall or Panorama.
- (MFA only) Select Factors, Enable
Additional Authentication Factors, and Add the
MFA server profiles you configured.The firewall will invoke each MFA service in the listed order, from top to bottom.
- Select Advanced and Add the
users and groups that can authenticate with this profile.You can select users and groups from the local database or, if you configured the firewall to Map Users to Groups, from an LDAP-based directory service such as Active Directory. By default, the list is empty, meaning no users can authenticate.
- Click OK to save the authentication profile.
- Configure an authentication sequence.Required if you want the firewall to try multiple authentication profiles to authenticate users. The firewall evaluates the profiles in top-to-bottom order until one profile successfully authenticates the user.
- Select DeviceAuthentication Sequence and Add the authentication sequence.
- Enter a Name to identify the
authentication sequence.To expedite the authentication process, Use domain to determine authentication profile: the firewall matches the domain name that a user enters during login with the User Domain or Kerberos Realm of an authentication profile in the sequence, and then uses that profile to authenticate the user. If the firewall does not find a match, or if you disable the option, the firewall tries the profiles in the top-to-bottom sequence.
- Add each authentication profile. To change the evaluation order of the profiles, select a profile and Move Up or Move Down.
- Click OK to save the authentication sequence.
- Assign the authentication profile or sequence to an administrative
account for firewall administrators or to Authentication policy
for end users.
- Administrators—Assign the authentication profile
based on how you manager administrator authorization:Authorization managed locally on the firewall—Configure a Firewall Administrator Account.Authorization managed on a SAML, TACACS+, or RADIUS server—Select DeviceSetupManagement, edit the Authentication Settings, and select the Authentication Profile.
- End users—For the full procedure to configure authentication for end users, see Configure Authentication Policy.
- Administrators—Assign the authentication profile based on how you manager administrator authorization:
- Verify that the firewall can Test Authentication Server Connectivity to authenticate users.
Configure Local or External Authentication for Firewall Adm...
Configure Local or External Authentication for Firewall Administrators You can use Local Authentication and External Authentication Services to authenticate administrators who access the firewall. These ...
Configure Authentication Policy
Configure Authentication Policy Perform the following steps to configure Authentication policy for end users who access services through Captive Portal. Before starting, ensure that your ...
Authentication Profiles and Sequences
Authentication Profiles and Sequences An authentication profile defines the authentication service that validates the login credentials of administrators when they access Panorama. The service can ...
Configure Multi-Factor Authentication
Configure Multi-Factor Authentication To use Multi-Factor Authentication (MFA) for protecting sensitive services and applications, you must configure Captive Portal to display a web form for ...
Configure an Authentication Profile
Authentication Profile Device > Authentication Profile Select Device Authentication Profile or Panorama Authentication Profile to manage authentication profiles. To create a new profile, Add one ...
Objects > Authentication
Objects > Authentication An authentication enforcement object specifies the method and service to use for authenticating end users who access your network resources. You assign ...
Device > Authentication Sequence
Device > Authentication Sequence Device > Authentication Sequence Panorama > Authentication Sequence In some environments, user accounts reside in multiple directories (such as LDAP and ...
Configure Kerberos Server Authentication
Configure Kerberos Server Authentication You can use Kerberos to natively authenticate end users and firewall or Panorama administrators to an Active Directory domain controller or ...
Configure Local or External Authentication for Panorama Adm...
Configure Local or External Authentication for Panorama Administrators You can use an external authentication service or the service that is local to Panorama to authenticate ...