Configure a Panorama Administrator with Certificate-Based
Authentication for the Web Interface
As a more secure alternative to password-based authentication to the Panorama web interface, you can configure certificate-based authentication for administrator accounts that are local to Panorama. Certificate-based authentication involves the exchange and verification of a digital signature instead of a password.
Configuring certificate-based authentication for any administrator disables the username/password logins for all administrators on Panorama and all administrators thereafter require the certificate to log in.
- Configure a certificate profile for securing access to the web interface.
- Selectand clickPanoramaCertificate ManagementCertificate ProfileAdd.
- Enter aNamefor the certificate profile and set theUsername FieldtoSubject.
- SelectAddin the CA Certificates section and select theCA Certificateyou just created.
- ClickOKto save the profile.
- Configure Panorama to use the certificate profile for authenticating administrators.
- Select theand edit the Authentication Settings.PanoramaSetupManagement
- Select theCertificate Profileyou just created and clickOK.
- Configure the administrator accounts to use client certificate authentication.Configure a Panorama Administrator Account for each administrator who will access the Panorama web interface. Select theUse only client certificate authentication (Web)check box.
- Generate a client certificate for each administrator.
- Export the client certificates.
- SelectandCommitCommit to PanoramaCommityour changes.Panorama restarts and terminates your login session. Thereafter, administrators can access the web interface only from client systems that have the client certificate you generated.
- Import the client certificate into the client system of each administrator who will access the web interface.Refer to your web browser documentation as needed to complete this step.
- Verify that administrators can access the web interface.
- Open the Panorama IP address in a browser on the computer that has the client certificate.
- When prompted, select the certificate you imported and clickOK. The browser displays a certificate warning.
- Add the certificate to the browser exception list.
- ClickLogin. The web interface should appear without prompting you for a username or password.