Configure
Administrative Accounts and Authentication
Configure Administrative Accounts and Authentication. This process involves creating
accounts that specify the privileges (roles) and the method used to validate
credentials.
| Where Can I Use This? | What Do I Need? |
- NGFW (Managed by Panorama)
|
|
To control system access, you must Configure Administrative Accounts and Authentication.
This process involves creating accounts that specify the privileges (roles) and the
method used to validate credentials.
When you Configure a Panorama Administrator Account, you define the administrator
type—such as Dynamic, Custom, or Device Group and Template Admin—and assign an
authentication profile to determine how the user is verified. Administrators can be
authenticated locally or via external services.
You can Configure Local or External Authentication for Panorama Administrators by
defining Server Profiles for services like LDAP, Kerberos, RADIUS, or TACACS+.
To enhance security beyond standard passwords, you can Configure a Panorama Administrator
with Certificate-Based Authentication for the Web Interface. This method uses a
Certificate Authority (CA) and client certificates to validate sessions without
requiring a password.
Similarly, for secure command-line access, you can Configure an Administrator with SSH
Key-Based Authentication for the CLI, which utilizes asymmetric key pairs to prevent
brute-force attacks. For centralized identity management, Panorama supports specific
protocols. You can Configure RADIUS Authentication or Configure TACACS+ Authentication
for Panorama Administrators. Both methods allow you to define Vendor-Specific Attributes
(VSAs) on the external server to manage administrator authorization, enabling you to
change roles and access domains remotely without reconfiguring Panorama. Additionally,
you can Configure SAML Authentication for Panorama Administrators, which allows you to
implement Single Sign-On (SSO) for the web interface using an external Identity Provider
(IdP).