Configure Local or External Authentication for Panorama Administrators
You can use an external authentication service or the service that is local to Panorama to authenticate administrators who access Panorama. These authentication methods prompt administrators to respond to one or more authentication challenges, such as a login page for entering a username and password.
If you use an external service to manage both authentication and authorization (role and access domain assignments), see:
- Configure RADIUS Authentication for Panorama Administrators
- Configure TACACS+ Authentication for Panorama Administrators
- Configure SAML Authentication for Panorama Administrators
To authenticate administrators without a challenge-response mechanism, you can Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface and Configure an Administrator with SSH Key-Based Authentication for the CLI.
- (External authentication only) Enable
Panorama to connect to an external server for authenticating administrators.
- Select PanoramaServer Profiles, select the
service type (RADIUS, TACACS+, SAML, LDAP,
or Kerberos), and configure a server profile:You can use a RADIUS server to support RADIUS authentication services or multi-factor authentication(MFA) services.
- Add a SAML IdP server profile. You cannot combine Kerberos single sign-on (SSO) with SAML SSO; you can use only one type of SSO service.
- Select PanoramaServer Profiles, select the service type (RADIUS, TACACS+, SAML, LDAP, or Kerberos), and configure a server profile:
- (Optional) Define password complexity
and expiration settings if Panorama uses local authentication.These settings help protect Panorama against unauthorized access by making it harder for attackers to guess passwords.
- Define global password complexity and expiration
settings for all local administrators.
- Select PanoramaSetupManagement and edit the Minimum Password Complexity settings.
- Select Enabled.
- Define the password settings and click OK.
- Define a Password Profile.You assign the profile to administrator accounts for which you want to override the global password expiration settings.
- Select PanoramaPassword Profiles and Add a profile.
- Enter a Name to identify the profile.
- Define the password expiration settings and click OK.
- Define global password complexity and expiration settings for all local administrators.
- (Kerberos SSO only) Create a Kerberos keytab.A keytab is a file that contains Kerberos account information for Panorama. To support Kerberos SSO, your network must have a Kerberos infrastructure.
- Configure an authentication profile.If your administrative accounts are stored across multiple types of servers, you can create an authentication profile for each type and add all the profiles to an authentication sequence.In the authentication profile, specify the Type of authentication service and related settings:
- External service—Select the Type of external service and select the Server Profile you created for it.
- Local authentication—Set the Type to None.
- Kerberos SSO—Specify the Kerberos Realm and Import the Kerberos Keytab you created.
- (Device group and template administrators only) Configure
an Access Domain.Configure one or more access domains.
- (Custom roles only) Configure
an Admin Role Profile.Configure one or more Admin Role profiles.For custom Panorama administrators, the profile defines access privileges for the account. For device group and template administrators, the profile defines access privileges for one or more access domains associated with the account.
- Configure an administrator.
a Panorama Administrator Account.
- Assign the Authentication Profile or sequence that you configured.
- (Device Group and Template Admin only) Map the access domains to Admin Role profiles.
- (Local authentication only) Select a Password Profile if you configured one.
- Select CommitCommit to Panorama and Commit your changes.
- (Optional) Test authentication server connectivity to verify that Panorama can use the authentication profile to authenticate administrators.
- Configure a Panorama Administrator Account.
Configure Local or External Authentication for Firewall Adm...
Configure Local or External Authentication for Firewall Administrators You can use Local Authentication and External Authentication Services to authenticate administrators who access the firewall. These ...
Administrative Authentication You can configure the following types of authentication and authorization ( Administrative Roles and Access Domains ) for Panorama administrators: Authentication Method Authorization ...
Authentication Profiles and Sequences
Authentication Profiles and Sequences An authentication profile defines the authentication service that validates the login credentials of administrators when they access Panorama. The service can ...
Kerberos Kerberos is an authentication protocol that enables a secure exchange of information between parties over an insecure network using unique keys (called tickets) to ...
External Authentication Services
External Authentication Services The firewall and Panorama can use external servers to control administrative access to the web interface and end user access to services ...
Authentication Types External Authentication Services Multi-Factor Authentication SAML Kerberos TACACS+ RADIUS LDAP Local Authentication ...
Configure an Authentication Profile and Sequence
Configure an Authentication Profile and Sequence An authentication profile defines the authentication service that validates the login credentials of administrators who access the firewall web ...
Authentication Authentication is a method for protecting services and applications by verifying the identities of users so that only legitimate users have access. Several firewall ...
Local Authentication Although the firewall and Panorama provide local authentication for administrators and end users, External Authentication Services are preferable in most cases because they ...