Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface

As a more secure alternative to password-based authentication to the Panorama web interface, you can configure certificate-based authentication for administrator accounts that are local to Panorama. Certificate-based authentication involves the exchange and verification of a digital signature instead of a password.
Configuring certificate-based authentication for any administrator disables the username/password logins for all administrators on Panorama and all administrators thereafter require the certificate to log in.
  1. Generate a certificate authority (CA) certificate on Panorama.
    You will use this CA certificate to sign the client certificate of each administrator.
    Alternatively, you can import a certificate from your enterprise CA.
  2. Configure a certificate profile for securing access to the web interface.
    1. Select
      Panorama
      Certificate Management
      Certificate Profile
      and click
      Add
      .
    2. Enter a
      Name
      for the certificate profile and set the
      Username Field
      to
      Subject
      .
    3. Select
      Add
      in the CA Certificates section and select the
      CA Certificate
      you just created.
    4. Click
      OK
      to save the profile.
  3. Configure Panorama to use the certificate profile for authenticating administrators.
    1. Select the
      Panorama
      Setup
      Management
      and edit the Authentication Settings.
    2. Select the
      Certificate Profile
      you just created and click
      OK
      .
  4. Configure the administrator accounts to use client certificate authentication.
    Configure a Panorama Administrator Account for each administrator who will access the Panorama web interface. Select the
    Use only client certificate authentication (Web)
    check box.
    If you have already deployed client certificates that your enterprise CA generated, skip to Step 8. Otherwise, continue with Step 5.
  5. Generate a client certificate for each administrator.
    Generate a certificate on Panorama. In the
    Signed By
    drop-down, select the CA certificate you created.
  6. Export the client certificates.
    1. Select
      Commit
      Commit to Panorama
      and
      Commit
      your changes.
      Panorama restarts and terminates your login session. Thereafter, administrators can access the web interface only from client systems that have the client certificate you generated.
  7. Import the client certificate into the client system of each administrator who will access the web interface.
    Refer to your web browser documentation as needed to complete this step.
  8. Verify that administrators can access the web interface.
    1. Open the Panorama IP address in a browser on the computer that has the client certificate.
    2. When prompted, select the certificate you imported and click
      OK
      . The browser displays a certificate warning.
    3. Add the certificate to the browser exception list.
    4. Click
      Login
      . The web interface should appear without prompting you for a username or password.

Related Documentation