Configure an Authentication Profile and Sequence
Updated on
Jul 1, 2024
Focus
Download PDF
Updated on
Jul 1, 2024
Focus
- Home
- PAN-OS
- Authentication
- Configure an Authentication Profile and Sequence
Download PDF
Table of Contents
End-of-Life (EoL)
An authentication profile defines the authenticationservice that validates the login credentials of administrators whoaccess the firewall web interface and end users who access applicationsthrough Captive Portal or GlobalProtect. The service can be LocalAuthentication that the firewall provides or ExternalAuthentication Services. The authentication profile also definesoptions such as Kerberos singlesign-on (SSO).
Some networks have multiple databases (suchas TACACS+ and LDAP) for different users and user groups. To authenticateusers in such cases, configure an authentication sequence—aranked order of authentication profiles that the firewall matchesa user against during login. The firewall checks against each profilein sequence until one successfully authenticates the user. A useris denied access only if authentication fails for all the profilesin the sequence. The sequence can specify authentication profilesthat are based on any authentication service that the firewall supportsexcepts Multi-FactorAuthentication (MFA) and SAML.
(
External service only
) Enable the firewallto connect to an external server for authenticating users:
Set up the external server. Refer to yourserver documentation for instructions.
Configure a server profile for the type of authenticationservice you use.
Adda RADIUS server profile.
If the firewallintegrates with an MFA service through RADIUS, you must add a RADIUSserver profile. In this case, the MFA service provides all the authenticationfactors. If the firewall integrates with an MFA service througha vendor API, you can still use a RADIUS server profile for thefirst factor but MFA server profiles are required for additionalfactors.
Addan MFA server profile.
Adda SAML IdP server profile.
Adda Kerberos server profile.
Adda TACACS+ server profile.
Addan LDAP server profile.
(
Local database authentication only
) Configurea user database that is local to the firewall.
Perform these steps for each user and user group for whichyou want to configure LocalAuthentication based on a user identity store that is localto the firewall:
Addthe user account to the local database.
(
Optional
) Addthe user group to the local database.
(
Kerberos SSO only
) Create a Kerberos keytabfor the firewall if Kerberos single sign-on (SSO) is the primaryauthentication service.
Createa Kerberos keytab. A keytab is a file that contains Kerberosaccount information for the firewall. To support Kerberos SSO, yournetwork must have a Kerberos infrastructure.
Configure anauthentication profile.
Define one or both of the following:
KerberosSSO
—The firewall first tries SSO authentication. If that fails,it falls back to the specified authenticationType
.External authentication or local database authentication
—Thefirewall prompts the user to enter login credentials, and uses anexternal service or local database to authenticate the user.
Select
andDevice
Authentication Profile
Add
theauthentication profile.Enter a
Name
to identify theauthentication profile.Select the
Type
of authenticationservice.If you use Multi-FactorAuthentication, the selected type applies only to the firstauthentication factor. You select services for additional MFA factorsin the
Factors
tab.If you select
RADIUS
,TACACS+
,LDAP
,orKerberos
, select theServerProfile
.If you select
LDAP
,select theServer Profile
and define theLoginAttribute
. For Active Directory, entersAMAccountName
asthe value.If you select
SAML
, selecttheIdP Server Profile
.If you want to enable Kerberos SSO, enter the
KerberosRealm
(usually the DNS domain of the users, except thatthe realm is UPPERCASE) andImport
theKerberosKeytab
that you created for the firewall or Panorama.(
MFA only
) Select
Factors
,EnableAdditional Authentication Factors
, andAdd
theMFA server profiles you configured.The firewall will invoke each MFA service in the listedorder, from top to bottom.
Select
Advanced
andAdd
theusers and groups that can authenticate with this profile.You can select users and groups from the local databaseor, if you configured the firewall to MapUsers to Groups, from an LDAP-based directory service suchas Active Directory. By default, the list is empty, meaning no userscan authenticate.
You can also select customgroups defined in a group mapping configuration.
(
Optional
) To modify the user informationbefore the firewall sends the authentication request to the server,configure a
Username Modifier
.%USERDOMAIN%\%USERINPUT%
—Ifthe source does not include the domain (for example, it uses thesAMAccountName), the firewall adds theUser Domain
youspecify before the username. If the source includes the domain,the firewall replaces that domain with theUser Domain
.If theUser Domain
is empty, the firewallremoves the domain from the user information that the firewall receivesfrom source before the firewall sends the request to the authenticationserver.Because LDAP servers do not support backslashes inthe sAMAccountName, do not use this option to authenticate withan LDAP server.
%USERINPUT%
—(Default) The firewall sendsthe user information to the authentication server in the formatit receives from the source.%USERINPUT%@%USERDOMAIN%
—If the sourcedoes not include the domain, the firewall adds theUserDomain
value after the username. If the source includesdomain, the firewall replaces that domain with theUserDomain
value. If theUser Domain
isempty, the firewall removes the domain from the user information thatthe firewall receives from the source before the firewall sendsthe request to the authentication server.None
—If you manually enterNone
:For LDAP and Kerberos server profiles, the firewall usesthe domain it receives from the source to select the appropriateauthentication profile, then removes the domain when it sends theauthentication request to the server. This allows you to includethe
User Domain
during the authenticationsequence but remove the domain before the firewall sends the authenticationrequest to the server. For example, if you are using an LDAP serverprofile and the samAccountName as the attribute, use this optionso that the firewall does not send the domain to the authenticationserver that expects only a username and not a domain.For RADIUS server profiles:
If the source sendsthe user information in
domain\username
format,the firewall sends the user information to the server in the sameformat.If the source sends the user information in
username@domain
format,the firewall normalizes the user information to thedomain\username
formatbefore sending it to the server.If the source sends only the username, the firewall addsthe
User Domain
you specify before sendingthe information to the server indomain\username
format.
For local databases, TACACS+, and SAML, the firewall sendsthe user information to the authentication server in the formatit receives from the source.
Click
OK
to save the authenticationprofile.
Configure an authentication sequence.
Required if you want the firewall to try multiple authenticationprofiles to authenticate users. The firewall evaluates the profilesin top-to-bottom order until one profile successfully authenticatesthe user.
Select
andDevice
Authentication Sequence
Add
theauthentication sequence.Enter a
Name
to identify theauthentication sequence.To expedite the authenticationprocess,
Use domain to determine authentication profile
:the firewall matches the domain name that a user enters during login withtheUser Domain
orKerberos Realm
ofan authentication profile in the sequence, and then uses that profileto authenticate the user. If the firewall does not find a match,or if you disable the option, the firewall tries the profiles inthe top-to-bottom sequence.Add
each authentication profile.To change the evaluation order of the profiles, select a profileandMove Up
orMove Down
.Click
OK
to save the authenticationsequence.
Assign the authentication profile or sequence to an administrativeaccount for firewall administrators or to Authentication policyfor end users.
Administrators
—Assign the authentication profilebased on how you manager administrator authorization:Authorizationmanaged locally on the firewall—Configurea Firewall Administrator Account.
Authorization managedon a SAML, TACACS+, or RADIUS server—Select
,edit the Authentication Settings, and select theDevice
Setup
Management
AuthenticationProfile
.
End users
—For thefull procedure to configure authentication for end users, see ConfigureAuthentication Policy.
Verify that the firewall can TestAuthentication Server Connectivity to authenticate users.
"); adBlockNotification.append($( "Thanks for visiting https://docs.paloaltonetworks.com. To improve your experience when accessing content across our site, please add the domain to the allow list on your ad blocker application." )); let adBlockNotificationClose = $("x"); adBlockNotification.prepend(adBlockNotificationClose) $('body').append(adBlockNotification); setTimeout(function (e) { adBlockNotification.addClass('open'); }, 10); adBlockNotificationClose.on('click', function (e) { adBlockNotification.removeClass('open'); }) } }, 5000)
Recommended For You
{{ if(( raw.pantechdoctype != "techdocsAuthoredContentPage" && raw.objecttype != "Knowledge" && raw.pancommonsourcename != "TD pan.dev Docs")) { }} {{ if (raw.panbooktype) { }} {{ if (raw.panbooktype.indexOf('PANW Yellow Theme') != -1){ }}
{{ } else if (raw.panbooktype.indexOf('PANW Green Theme') != -1){ }}
{{ } else if (raw.panbooktype.indexOf('PANW Blue Theme') != -1){ }}
{{ } else { }}
{{ } }} {{ } else { }}
{{ } }} {{ } else { }} {{ if (raw.pantechdoctype == "pdf"){ }}
{{ } else if (raw.objecttype == "Knowledge") { }}
{{ } else if (raw.pancommonsourcename == "TD pan.dev Docs") { }}
{{ } else if (raw.pancommonsourcename == "LIVEcommunity Public") { }}
{{ } else { }}
{{ } }} {{ } }}
{{ if (raw.pancommonsourcename == "LIVEcommunity Public") { }}
{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
{{ } else { }}
{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}
{{ } }}
{{ if (raw.pancommonsourcename != "TD pan.dev Docs"){ }} {{ if (raw.pandevdocsosversion){ }} {{ } else { }} {{ if ((_.size(raw.panosversion)>0) && !(_.isNull(raw.panconversationid )) && (!(_.isEmpty(raw.panconversationid ))) && !(_.isNull(raw.otherversions ))) { }} (See other versions) {{ } }} {{ } }} {{ } }}
{{ } }}{{ if (raw.pantechdoctype == "bookDetailPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "bookLandingPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "productLanding"){ }}
{{ } }}{{ if (raw.pantechdoctype == "techdocsAuthoredContentPage"){ }}
{{ } }}{{ if (raw.pantechdoctype == "pdf"){ }}
{{ } }}