Configure Administrative Accounts and Authentication
Focus
Focus
Panorama

Configure Administrative Accounts and Authentication

Table of Contents

Configure Administrative Accounts and Authentication

Configure Administrative Accounts and Authentication. This process involves creating accounts that specify the privileges (roles) and the method used to validate credentials.
Where Can I Use This?What Do I Need?
  • NGFW (Managed by Panorama)
  • Panorama superuser role
To control system access, you must Configure Administrative Accounts and Authentication. This process involves creating accounts that specify the privileges (roles) and the method used to validate credentials.
If you have already configured an authentication profile or you don’t require one to authenticate administrators, you are ready to Configure a Panorama Administrator Account. Otherwise, perform one of the other procedures listed below to configure administrative accounts for specific types of authentication.
When you Configure a Panorama Administrator Account, you define the administrator type—such as Dynamic, Custom, or Device Group and Template Admin—and assign an authentication profile to determine how the user is verified. Administrators can be authenticated locally or via external services.
You can Configure Local or External Authentication for Panorama Administrators by defining Server Profiles for services like LDAP, Kerberos, RADIUS, or TACACS+.
To enhance security beyond standard passwords, you can Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface. This method uses a Certificate Authority (CA) and client certificates to validate sessions without requiring a password.
Similarly, for secure command-line access, you can Configure an Administrator with SSH Key-Based Authentication for the CLI, which utilizes asymmetric key pairs to prevent brute-force attacks. For centralized identity management, Panorama supports specific protocols. You can Configure RADIUS Authentication or Configure TACACS+ Authentication for Panorama Administrators. Both methods allow you to define Vendor-Specific Attributes (VSAs) on the external server to manage administrator authorization, enabling you to change roles and access domains remotely without reconfiguring Panorama. Additionally, you can Configure SAML Authentication for Panorama Administrators, which allows you to implement Single Sign-On (SSO) for the web interface using an external Identity Provider (IdP).