Configure Local or External Authentication for Panorama Administrators
You can use an external authentication service or the
service that is local to Panorama to authenticate administrators
who access Panorama. These authentication methods prompt administrators
to respond to one or more authentication challenges, such as a login
page for entering a username and password.
If you use
an external service to manage both authentication and authorization
(role and access domain assignments), see:
To
authenticate administrators without a challenge-response mechanism,
you can Configure
a Panorama Administrator with Certificate-Based Authentication for
the Web Interface and Configure
an Administrator with SSH Key-Based Authentication for the CLI.
- (External authentication only) Enable Panorama to connect to an external server for authenticating administrators.
- Select, select the service type (PanoramaServer ProfilesRADIUS,TACACS+,SAML,LDAP, orKerberos), and configure a server profile:You can use a RADIUS server to support RADIUS authentication services or multi-factor authentication(MFA) services.
- Add a SAML IdP server profile. You cannot combine Kerberos single sign-on (SSO) with SAML SSO; you can use only one type of SSO service.
- (Optional) Define password complexity and expiration settings if Panorama uses local authentication.These settings help protect Panorama against unauthorized access by making it harder for attackers to guess passwords.
- Define global password complexity and expiration settings for all local administrators.
- Selectand edit the Minimum Password Complexity settings.PanoramaSetupManagement
- SelectEnabled.
- Define the password settings and clickOK.
- Define a Password Profile.You assign the profile to administrator accounts for which you want to override the global password expiration settings.
- SelectandPanoramaPassword ProfilesAdda profile.
- Enter aNameto identify the profile.
- Define the password expiration settings and clickOK.
- (Kerberos SSO only) Create a Kerberos keytab.A keytab is a file that contains Kerberos account information for Panorama. To support Kerberos SSO, your network must have a Kerberos infrastructure.
- If your administrative accounts are stored across multiple types of servers, you can create an authentication profile for each type and add all the profiles to an authentication sequence.In the authentication profile, specify theTypeof authentication service and related settings:
- External service—Select theTypeof external service and select theServer Profileyou created for it.
- Local authentication—Set theTypetoNone.
- Kerberos SSO—Specify theKerberos RealmandImporttheKerberos Keytabyou created.
- (Device group and template administrators only) Configure an Access Domain.Configure one or more access domains.
- (Custom roles only) Configure an Admin Role Profile.Configure one or more Admin Role profiles.For custom Panorama administrators, the profile defines access privileges for the account. For device group and template administrators, the profile defines access privileges for one or more access domains associated with the account.
- Configure an administrator.
- Assign theAuthentication Profileor sequence that you configured.
- (Device Group and Template Admin only) Map the access domains to Admin Role profiles.
- (Local authentication only) Select aPassword Profileif you configured one.
- SelectandCommitCommit to PanoramaCommityour changes.
- (Optional) Test authentication server connectivity to verify that Panorama can use the authentication profile to authenticate administrators.
Recommended For You
Recommended Videos
Recommended videos not found.