Configure Local or External Authentication for Panorama Administrators
You can use an external authentication service or the service that is local to Panorama to authenticate administrators who access Panorama. These authentication methods prompt administrators to respond to one or more authentication challenges, such as a login page for entering a username and password.
If you use an external service to manage both authentication and authorization (role and access domain assignments), see:
To authenticate administrators without a challenge-response mechanism, you can Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface and Configure an Administrator with SSH Key-Based Authentication for the CLI.
- (External authentication only) Enable Panorama to connect to an external server for authenticating administrators.
- Select, select the service type (PanoramaServer ProfilesRADIUS,TACACS+,SAML,LDAP, orKerberos), and configure a server profile:
- (Optional) Define password complexity and expiration settings if Panorama uses local authentication.These settings help protect Panorama against unauthorized access by making it harder for attackers to guess passwords.
- Define global password complexity and expiration settings for all local administrators.
- Selectand edit the Minimum Password Complexity settings.PanoramaSetupManagement
- Define the password settings and clickOK.
- Define a Password Profile.You assign the profile to administrator accounts for which you want to override the global password expiration settings.
- SelectandPanoramaPassword ProfilesAdda profile.
- Enter aNameto identify the profile.
- Define the password expiration settings and clickOK.
- In the authentication profile, specify theTypeof authentication service and related settings:
- External service—Select theTypeof external service and select theServer Profileyou created for it.
- Local authentication—Set theTypetoNone.
- Kerberos SSO—Specify theKerberos RealmandImporttheKerberos Keytabyou created.
- (Device group and template administrators only) Configure an Access Domain.Configure one or more access domains.
- (Custom roles only) Configure an Admin Role Profile.Configure one or more Admin Role profiles.For custom Panorama administrators, the profile defines access privileges for the account. For device group and template administrators, the profile defines access privileges for one or more access domains associated with the account.
- Configure an administrator.
- Assign theAuthentication Profileor sequence that you configured.
- (Device Group and Template Admin only) Map the access domains to Admin Role profiles.
- (Local authentication only) Select aPassword Profileif you configured one.
- SelectandCommitCommit to PanoramaCommityour changes.
- (Optional) Test authentication server connectivity to verify that Panorama can use the authentication profile to authenticate administrators.
Configure Local or External Authentication for Firewall Adm...
Configure Local or External Authentication for Firewall Administrators You can use Local Authentication and External Authentication Services to authenticate administrators who access the firewall. These ...
Administrative Authentication You can configure the following types of authentication and authorization ( Administrative Roles and Access Domains ) for Panorama administrators: Authentication Method Authorization ...
Authentication Profiles and Sequences
Authentication Profiles and Sequences An authentication profile defines the authentication service that validates the login credentials of administrators when they access Panorama. The service can ...
Kerberos Kerberos is an authentication protocol that enables a secure exchange of information between parties over an insecure network using unique keys (called tickets) to ...
External Authentication Services
External Authentication Services The firewall and Panorama can use external servers to control administrative access to the web interface and end user access to services ...
Configure an Authentication Profile and Sequence
Configure an Authentication Profile and Sequence An authentication profile defines the authentication service that validates the login credentials of administrators who access the firewall web ...
Local Authentication Although the firewall and Panorama provide local authentication for administrators and end users, External Authentication Services are preferable in most cases because they ...
Authentication Types External Authentication Services Multi-Factor Authentication SAML Kerberos TACACS+ RADIUS LDAP Local Authentication ...
Administrative Authentication You can configure the following types of authentication and authorization (role and access domain assignment) for firewall administrators: Authentication Method Authorization Method Description ...