Objects > Authentication
An authentication enforcement object specifies the method and service to use for authenticating end users who access your network resources. You assign the object to Authentication policy rules, which invoke the authentication method and service when traffic matches a rule (see Policies > Authentication).
The firewall has the following predefined, read-only authentication enforcement objects:
- default-browser-challenge—The firewall transparently obtains user authentication credentials. If you select this action, you must enable Kerberos Single Sign-On (SSO) or NT LAN Manager (NTLM) authentication when you configure Captive Portal . If Kerberos SSO authentication fails, the firewall falls back to NTLM authentication. If you did not configure NTLM, or NTLM authentication fails, the firewall falls back to the authentication method specified in the predefined default-web-form object.
- default-web-form—To authenticate users, the firewall uses the certificate profile or authentication profile you specified when configuring Captive Portal . If you specified an authentication profile, the firewall ignores any Kerberos SSO settings in the profile and presents a Captive Portal page for the user to enter authentication credentials.
- default-no-captive-portal—The firewall evaluates Security policy without authenticating users.
Before creating a custom authentication enforcement object:
- Configure a server profile that specifies how to connect to the authentication service (see Device > Server Profiles).
- Assign the server profile to an authentication profile that specifies authentication settings such as Kerberos single sign-on parameters (see Device > Authentication Profile).
To create a custom authentication enforcement object, click Add and complete the following fields:
Authentication Enforcement Settings
Enter a descriptive name (up to 31 characters) to help you identify the object when defining Authentication rules. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Shared (Panorama only)
Select this option if you want the object to be available to:
Disable override (Panorama only)
Select this option to prevent administrators from overriding the settings of this authentication enforcement object in device groups that inherit the object. This selection is cleared by default, which means administrators can override the settings for any device group that inherits the object.
Select a method:
Select the authentication profile that specifies the service to use for validating the identities of users.
Enter instructions that tell users how to respond to the first authentication challenge that they see when their traffic triggers the Authentication rule. The message displays in the Captive Portal Comfort Page. If you don’t enter a message, the default Captive Portal Comfort Page displays (see Device > Response Pages).
The firewall displays the Captive Portal Comfort Page only for the first authentication challenge (factor), which you define in the Authentication tab of the Authentication Profile (see Device > Authentication Profile). For multi-factor authentication (MFA) challenges that you define in the Factors tab of the profile, the firewall displays the MFA Login Page.
Configure Authentication Policy
Configure Authentication Policy Perform the following steps to configure Authentication policy for end users who access services through Captive Portal. Before starting, ensure that your ...
Device > User Identification > Captive Portal Settings
Device > User Identification > Captive Portal Settings Edit ( ) the Captive Portal Settings to configure the firewall to authenticate users whose traffic matches ...
Configure Captive Portal
Configure Captive Portal The following procedure shows how to set up Captive Portal authentication by configuring the PAN-OS integrated User-ID agent to redirect web requests ...
Captive Portal Authentication Methods
Captive Portal Authentication Methods Captive Portal uses the following methods to authenticate users whose web requests match Authentication Policy rules: Authentication Method Description Kerberos SSO ...
NTLM Authentication Device User Identification User Mapping Palo Alto Networks User-ID Agent Setup NTLM You can use NT LAN Manager (NTLM) to authenticate only Windows ...
Configure Multi-Factor Authentication
Configure Multi-Factor Authentication To use Multi-Factor Authentication (MFA) for protecting sensitive services and applications, you must configure Captive Portal to display a web form for ...
Configure an Authentication Profile and Sequence
Configure an Authentication Profile and Sequence An authentication profile defines the authentication service that validates the login credentials of administrators who access the firewall web ...
Configure Kerberos Server Authentication
Configure Kerberos Server Authentication You can use Kerberos to natively authenticate end users and firewall or Panorama administrators to an Active Directory domain controller or ...
Configure Kerberos Single Sign-On
Configure Kerberos Single Sign-On Palo Alto Networks firewalls and Panorama support Kerberos V5 single sign-on (SSO) to authenticate administrators to the web interface and end ...