Configure LDAP Authentication

You can use LDAP to authenticate end users who access applications or services through Captive Portal and authenticate firewall or Panorama administrators who access the web interface.
You can also connect to an LDAP server to define policy rules based on user groups. For details, see Map Users to Groups.
  1. Add an LDAP server profile.
    The profile defines how the firewall connects to the LDAP server.
    1. Select
      Device
      Server Profiles
      LDAP
      and
      Add
      a server profile.
    2. Enter a
      Profile Name
      to identify the server profile.
    3. (
      Multi-vsys only
      ) Select the
      Location
      in which the profile is available.
    4. (
      Optional
      ) Select
      Administrator Use Only
      to restrict access to administrators.
    5. Add
      the LDAP servers (up to four). For each server, enter a
      Name
      (to identify the server),
      LDAP Server
      IP address or FQDN, and server
      Port
      (default 389).
      If you use an FQDN address object to identify the server and you subsequently change the address, you must commit the change for the new server address to take effect.
    6. Select the server
      Type
      .
    7. Select the
      Base DN
      .
    8. Enter the
      Bind DN
      and
      Password
      to enable the authentication service to authenticate the firewall.
    9. Enter the
      Bind Timeout
      and
      Search Timeout
      in seconds (default is 30 for both).
    10. Enter the
      Retry Interval
      in seconds (default is 60).
    11. (
      Optional
      ) If you want the endpoint to use SSL or TLS for a more secure connection with the directory server, enable the option to
      Require SSL/TLS secured connection
      (enabled by default). The protocol that the endpoint uses depends on the server port:
      • 389 (default)—TLS (Specifically, the device uses the StartTLS operation, which upgrades the initial plaintext connection to TLS.)
      • 636—SSL
      • Any other port—The device first attempts to use TLS. If the directory server doesn’t support TLS, the device falls back to SSL.
    12. (
      Optional
      ) For additional security, enable to the option to
      Verify Server Certificate for SSL sessions
      so that the endpoint verifies the certificate that the directory server presents for SSL/TLS connections. To enable verification, you must also enable the option to
      Require SSL/TLS secured connection
      . For verification to succeed, the certificate must meet one of the following conditions:
      • It is in the list of device certificates:
        Device
        Certificate Management
        Certificates
        Device Certificates.
        If necessary, import the certificate into the device.
      • The certificate signer is in the list of trusted certificate authorities:
        Device
        Certificate Management
        Certificates
        Default Trusted Certificate Authorities
        .
    13. Click
      OK
      to save the server profile.
  2. Assign the server profile to Configure an Authentication Profile and Sequence to define various authentication settings.
  3. Assign the authentication profile to the firewall application that requires authentication.
  4. Verify that the firewall can Test Authentication Server Connectivity to authenticate users.

Related Documentation