Configure an Administrator with Certificate-Based Authentication for the Web Interface
As a more secure alternative to password-based authentication to the Panorama web interface, you can configure certificate-based authentication for administrator accounts that are local to Panorama. Certificate-based authentication involves the exchange and verification of a digital signature instead of a password.
Configuring certificate-based authentication for any administrator disables the username/password logins for all administrators on Panorama and all administrators thereafter require the certificate to log in.
Configure an Administrator with Certificate-Based Authentication for the Web Interface
Generate a certificate authority (CA) certificate on Panorama. You will use this CA certificate to sign the client certificate of each administrator. Create a self-signed root CA certificate. Alternatively, you can import a certificate from your enterprise CA.
Configure a certificate profile for securing access to the web interface. Select Panorama > Certificate Management > Certificate Profile and click Add. Enter a Name for the certificate profile and set the Username Field to Subject. Select Add in the CA Certificates section and select the CA Certificate you just created. Click OK to save the profile.
Configure Panorama to use the certificate profile for authenticating administrators. Select the Panorama > Setup > Management and edit the Authentication Settings. Select the Certificate Profile you just created and click OK.
Configure the administrator accounts to use client certificate authentication. Configure an Administrative Account for each administrator who will access the Panorama web interface. Select the Use only client certificate authentication (Web) check box. If you have already deployed client certificates that your enterprise CA generated, skip to Step 8. Otherwise, continue with Step 5.
Generate a client certificate for each administrator. Generate a certificate on Panorama. In the Signed By drop-down, select the CA certificate you created.
Export the client certificates. Export the certificates. Commit your changes. Panorama restarts and terminates your login session. Thereafter, administrators can access the web interface only from client systems that have the client certificate you generated.
Import the client certificate into the client system of each administrator who will access the web interface. Refer to your web browser documentation as needed to complete this step.
Verify that administrators can access the web interface. Open the Panorama IP address in a browser on the computer that has the client certificate. When prompted, select the certificate you imported and click OK. The browser displays a certificate warning. Add the certificate to the browser exception list. Click Login. The web interface should appear without prompting you for a username or password.

Related Documentation