Configure Local or External Authentication for Firewall Administrators

You can use Local Authentication and External Authentication Services to authenticate administrators who access the firewall. These authentication methods prompt administrators to respond to one or more authentication challenges, such as a login page for entering a username and password.
If you use an external service to manage both authentication and authorization (role and access domain assignments), see:
  1. (
    External authentication only
    ) Enable the firewall to connect to an external server for authenticating administrators.
    Configure a server profile:
  2. (
    Local database authentication only
    ) Configure a user database that is local to the firewall.
  3. (
    Local authentication only
    ) Define password complexity and expiration settings.
    These settings help protect the firewall against unauthorized access by making it harder for attackers to guess passwords.
    1. Define global password complexity and expiration settings for all local administrators. The settings don’t apply to local database accounts for which you specified a password hash instead of a password (see Local Authentication).
      1. Select
        Device
        Setup
        Management
        and edit the Minimum Password Complexity settings.
      2. Select
        Enabled
        .
      3. Define the password settings and click
        OK
        .
    2. Define a Password Profile.
      You assign the profile to administrator accounts for which you want to override the global password expiration settings. The profiles are available only to accounts that are not associated with a local database (see Local Authentication).
      1. Select
        Device
        Password Profiles
        and
        Add
        a profile.
      2. Enter a
        Name
        to identify the profile.
      3. Define the password expiration settings and click
        OK
        .
  4. (
    Kerberos SSO only
    ) Create a Kerberos keytab.
    A keytab is a file that contains Kerberos account information for the firewall. To support Kerberos SSO, your network must have a Kerberos infrastructure.
  5. Configure an authentication profile.
    If your administrative accounts are stored across multiple types of servers, you can create an authentication profile for each type and add all the profiles to an authentication sequence.
    Configure an Authentication Profile and Sequence. In the authentication profile, specify the
    Type
    of authentication service and related settings:
    • External service
      —Select the
      Type
      of external service and select the
      Server Profile
      you created for it.
    • Local database authentication
      —Set the
      Type
      to
      Local Database
      .
    • Local authentication without a database
      —Set the
      Type
      to
      None
      .
    • Kerberos SSO
      —Specify the
      Kerberos Realm
      and
      Import
      the
      Kerberos Keytab
      .
  6. Assign the authentication profile or sequence to an administrator account.
      • Assign the
        Authentication Profile
        or sequence that you configured.
      • (
        Local database authentication only
        ) Specify the
        Name
        of the user account you added to the local database.
    1. Commit
      your changes.
    2. (
      Optional
      ) Test Authentication Server Connectivity to verify that the firewall can use the authentication profile to authenticate administrators.

Related Documentation