Palo Alto Networks firewalls and Panorama can use external servers for many services that require authentication, including administrator access to the web interface and end user access to Captive Portal, GlobalProtect portals and GlobalProtect gateways. The server protocols that firewalls and Panorama support include Lightweight Directory Access Protocol (LDAP), Kerberos, Terminal Access Controller Access-Control System Plus (TACACS+), and Remote Authentication Dial-In User Service (RADIUS). If you enable both external authentication and
Kerberos single sign-on (SSO), the firewall or Panorama first tries SSO and, only if that fails, falls back to the external server for authentication. To configure external authentication, you create an authentication server profile, assign it to an
authentication profile, and then enable authentication for an administrator account or firewall/Panorama service by assigning the authentication profile to it.