Configure an Authentication Profile and Sequence
An authentication profile defines the authentication service that validates the login credentials of firewall or Panorama administrators and Captive Portal or GlobalProtect end users. The authentication service can be a local database (firewalls only), an external service (RADIUS, TACACS+, LDAP, or Kerberos server), or Kerberos single sign-on (SSO).
Some networks have multiple databases for different users and user groups (for example, TACACS+ and LDAP). To authenticate users in such cases, configure an authentication sequence, which is a ranked order of authentication profiles that the firewall or Panorama matches a user against during login. The firewall or Panorama checks against each profile in sequence until one successfully authenticates the user (the firewall always checks the local database first if the sequence includes one). A user is denied access only if authentication fails for all the profiles in the authentication sequence.
Configure an Authentication Profile and Sequence
Create a Kerberos keytab. Required if the firewall or Panorama will use Kerberos SSO authentication. Create a Kerberos keytab. A keytab is a file that contains Kerberos account information (principal name and hashed password) for the firewall or Panorama.
Configure a local database (firewall only) or external server profile (firewall or Panorama). Required for local database or external authentication. Local database authentication—Perform the following tasks: Configure the user account. ( Optional ) Configure a user group. External authentication—Perform one of the following tasks: Configure a RADIUS Server Profile. Configure a TACACS+ Server Profile. Configure an LDAP Server Profile. Configure a Kerberos Server Profile.
Configure an authentication profile. Define one or both of the following: Kerberos SSO—The firewall or Panorama first tries SSO authentication. If that fails, it falls back to the specified authentication Type. Local database or external authentication—The firewall or Panorama prompts the user to enter login credentials, and uses its local database (firewalls only) or an external service to authenticate the user. Select Device > Authentication Profile and Add the authentication profile. Enter a Name to identify the authentication profile. If the firewall has more than one virtual system (vsys), select a Location (a vsys or Shared) where the profile is available. Select the authentication Type. If you select RADIUS, TACACS+, LDAP, or Kerberos, select the authentication Server Profile from the drop-down. If the Type is LDAP, define the Login Attribute. For Active Directory, enter sAMAccountName as the value. ( Optional ) Select the User Domain and Username Modifier options as follows to modify the domain/username string that the user will enter during login. This is useful when the authentication service requires the string in a particular format and you don’t want to rely on users to correctly enter the domain. To send only the unmodified user input, leave the User Domain blank (the default) and set the Username Modifier to the variable %USERINPUT% (the default). To prepend a domain to the user input, enter a User Domain and set the Username Modifier to %USERDOMAIN%\%USERINPUT%. To append a domain to the user input, enter a User Domain and set the Username Modifier to %USERINPUT%@%USERDOMAIN%. If you want to enable Kerberos SSO, enter the Kerberos Realm (usually the DNS domain of the users, except that the realm is UPPERCASE) and Import the Kerberos Keytab that you created for the firewall or Panorama. Select Advanced and Add the users and groups that can authenticate with this profile. You can select users and groups from the local database or, if you configured an LDAP server profile, from an LDAP-based directory service such as Active Directory. Selecting all allows every user to authenticate. By default, the list is empty, meaning no users can authenticate. You can also create and allow custom groups based on LDAP filters: see Map Users to Groups. Enter the number of Failed Attempts (0-10) to log in that the firewall or Panorama allows before locking out the user. The default value 0 means there is no limit. Enter the Lockout Time (0-60), which is the number of minutes for which the firewall or Panorama locks out the user after reaching the Failed Attempts limit. The default value 0 means the lockout applies until an administrator unlocks the user account. Click OK to save the authentication profile.
Configure an authentication sequence. Required if you want the firewall or Panorama to try multiple authentication profiles to authenticate users. The firewall or Panorama evaluates the profiles in top-to-bottom order until one profile successfully authenticates the user. Select Device > Authentication Sequence and Add the authentication sequence. Enter a Name to identify the authentication sequence. If the firewall has more than one virtual system (vsys), select a Location (a vsys or Shared) where the sequence is available. To expedite the authentication process, the best practice is to Use domain to determine authentication profile: the firewall or Panorama will match the domain name that a user enters during login with the User Domain or Kerberos Realm of an authentication profile in the sequence, and then use that profile to authenticate the user. If the firewall or Panorama doesn’t find a match, or if you clear the check box, it tries the profiles in the top-to-bottom sequence. Add each authentication profile. To change the evaluation order of the profiles, select a profile and Move Up or Move Down. Click OK to save the authentication sequence.
Assign the authentication profile or sequence. Assign the authentication profile or sequence to an administrator account or to a firewall service for end users. Test Authentication Server Connectivity to verify that an authentication profile can communicate with the back-end authentication server and that the authentication request succeeded.

Related Documentation