Configure Local or External Authentication for Panorama Administrators

You can use an external authentication service or the service that is local to Panorama to authenticate administrators who access Panorama. These authentication methods prompt administrators to respond to one or more authentication challenges, such as a login page for entering a username and password.
  1. (External authentication only) Enable Panorama to connect to an external server for authenticating administrators.
    1. Select PanoramaServer Profiles, select the service type (RADIUS, TACACS+, SAML, LDAP, or Kerberos), and configure a server profile:
  2. (Optional) Define password complexity and expiration settings if Panorama uses local authentication.
    These settings help protect Panorama against unauthorized access by making it harder for attackers to guess passwords.
    1. Define global password complexity and expiration settings for all local administrators.
      1. Select PanoramaSetupManagement and edit the Minimum Password Complexity settings.
      2. Select Enabled.
      3. Define the password settings and click OK.
    2. Define a Password Profile.
      You assign the profile to administrator accounts for which you want to override the global password expiration settings.
      1. Select PanoramaPassword Profiles and Add a profile.
      2. Enter a Name to identify the profile.
      3. Define the password expiration settings and click OK.
  3. (Kerberos SSO only) Create a Kerberos keytab.
    A keytab is a file that contains Kerberos account information for Panorama. To support Kerberos SSO, your network must have a Kerberos infrastructure.
  4. Configure an authentication profile.
    If your administrative accounts are stored across multiple types of servers, you can create an authentication profile for each type and add all the profiles to an authentication sequence.
    In the authentication profile, specify the Type of authentication service and related settings:
    • External service—Select the Type of external service and select the Server Profile you created for it.
    • Local authentication—Set the Type to None.
    • Kerberos SSO—Specify the Kerberos Realm and Import the Kerberos Keytab you created.
  5. (Device group and template administrators only) Configure an Access Domain.
    Configure one or more access domains.
  6. (Custom roles only) Configure an Admin Role Profile.
    Configure one or more Admin Role profiles.
    For custom Panorama administrators, the profile defines access privileges for the account. For device group and template administrators, the profile defines access privileges for one or more access domains associated with the account.
  7. Configure an administrator.
    1. Configure a Panorama Administrator Account.
      • Assign the Authentication Profile or sequence that you configured.
      • (Device Group and Template Admin only) Map the access domains to Admin Role profiles.
      • (Local authentication only) Select a Password Profile if you configured one.
    2. Select CommitCommit to Panorama and Commit your changes.
    3. (Optional) Test authentication server connectivity to verify that Panorama can use the authentication profile to authenticate administrators.

Related Documentation