Configure Local or External Authentication for Panorama Administrators

You can use an external authentication service or the service that is local to Panorama to authenticate administrators who access Panorama. These authentication methods prompt administrators to respond to one or more authentication challenges, such as a login page for entering a username and password.
  1. (
    External authentication only
    ) Enable Panorama to connect to an external server for authenticating administrators.
    1. Select
      Panorama
      Server Profiles
      , select the service type (
      RADIUS
      ,
      TACACS+
      ,
      SAML
      ,
      LDAP
      , or
      Kerberos
      ), and configure a server profile:
  2. (
    Optional
    ) Define password complexity and expiration settings if Panorama uses local authentication.
    These settings help protect Panorama against unauthorized access by making it harder for attackers to guess passwords.
    1. Define global password complexity and expiration settings for all local administrators.
      1. Select
        Panorama
        Setup
        Management
        and edit the Minimum Password Complexity settings.
      2. Select
        Enabled
        .
      3. Define the password settings and click
        OK
        .
    2. Define a Password Profile.
      You assign the profile to administrator accounts for which you want to override the global password expiration settings.
      1. Select
        Panorama
        Password Profiles
        and
        Add
        a profile.
      2. Enter a
        Name
        to identify the profile.
      3. Define the password expiration settings and click
        OK
        .
  3. (
    Kerberos SSO only
    ) Create a Kerberos keytab.
    A keytab is a file that contains Kerberos account information for Panorama. To support Kerberos SSO, your network must have a Kerberos infrastructure.
  4. If your administrative accounts are stored across multiple types of servers, you can create an authentication profile for each type and add all the profiles to an authentication sequence.
    In the authentication profile, specify the
    Type
    of authentication service and related settings:
    • External service
      —Select the
      Type
      of external service and select the
      Server Profile
      you created for it.
    • Local authentication
      —Set the
      Type
      to
      None
      .
    • Kerberos SSO
      —Specify the
      Kerberos Realm
      and
      Import
      the
      Kerberos Keytab
      you created.
  5. (
    Device group and template administrators only
    ) Configure an Access Domain.
    Configure one or more access domains.
  6. (
    Custom roles only
    ) Configure an Admin Role Profile.
    Configure one or more Admin Role profiles.
    For custom Panorama administrators, the profile defines access privileges for the account. For device group and template administrators, the profile defines access privileges for one or more access domains associated with the account.
  7. Configure an administrator.
      • Assign the
        Authentication Profile
        or sequence that you configured.
      • (
        Device Group and Template Admin only
        ) Map the access domains to Admin Role profiles.
      • (
        Local authentication only
        ) Select a
        Password Profile
        if you configured one.
    1. Select
      Commit
      Commit to Panorama
      and
      Commit
      your changes.
    2. (
      Optional
      ) Test authentication server connectivity to verify that Panorama can use the authentication profile to authenticate administrators.

Related Documentation