Administrative Authentication
You can configure the following types of administrator authentication:
Account Type Authentication Method Description
Local Local (no database) The administrator account credentials and the authentication mechanisms are local to the firewall. You can further secure local accounts by setting global password complexity and expiration settings for all accounts or by creating a password profile that defines password expiration settings for specific accounts. For details, see Configure an Administrative Account.
Local Local database The firewall uses a local database to store the administrator account credentials and to perform authentication. If your network supports Kerberos single sign-on (SSO), you can configure local authentication as a fallback in case SSO fails. For details, see Configure Kerberos SSO and External or Local Authentication for Administrators.
Local SSL-based The administrator accounts are local to the firewall, but authentication is based on SSH certificates (for CLI access) or client certificates (for web interface access). For details, see Configure SSH Key-Based Administrator Authentication to the CLI and Configure Certificate-Based Administrator Authentication to the Web Interface.
Local External service The administrator accounts are local to the firewall, but external services (LDAP, Kerberos, TACACS+, or RADIUS) handle the authentication functions. If your network supports Kerberos single sign-on (SSO), you can configure external authentication as a fallback in case SSO fails. For details, see Configure Kerberos SSO and External or Local Authentication for Administrators.
External External service An external RADIUS server handles account management and authentication. You must define Vendor-Specific Attributes (VSAs) on your RADIUS server that map to the administrator role, access domain, user group (if applicable), and virtual system (if applicable). For details, see Configure RADIUS Vendor-Specific Attributes for Administrator Authentication.

Related Documentation