Palo Alto Networks Knowledgebase: Configuring Authentication with Fallback Options

Configuring Authentication with Fallback Options

6911
Created On 08/05/19 19:57 PM - Last Updated 08/05/19 20:11 PM
Resolution

This document describes the following configurations :

  • Authentication : RADIUS. LDAP and  LOCAL
  • Authenticate Profile : RADIUS, LDAP and  LOCAL
  • Authentication Sequence : RADIUS, fallback to LDAP, fallback to LOCAL
  • Using the Authentication Sequence for Firewall Administrator and Captive Portal

RADIUS Authentication

Device > Server-Profile > Radius

Configure the fields:

  • Domain name: RADIUS server domain
  • Server: Friendly Name identifying Server
  • IP address: Address of Server
  • Port-1812 (authentication)

Radius-4.1-1.GIF

Local User Authentication

Device > Local User Database > Users

  • Create a local user adding a password and enabling the user.

Local User-4.1-1.GIF


LDAP Authentication

Device > Server-Profile > LDAP

  • “Base” field represents the point in the LDAP tree where the firewall will connect to and begin the search for users and groups.
  • “Bind DN” field contains the user name credentials that the firewall uses to access the AD/ LDAP  server to be able to pull users and groups
  • SSL is checked by default and needs server port 636, make sure to uncheck SSL if port 389 is used
  • Domain: Needs to be the NETBIOS domain or leave blank and the system will pull the domain info. automatically

LDAP-4.1.GIF

Authenticate Profile

Device > Authenticate Profile

  • Configure Authentication profile for Local, Radius and LDAP authentication by selecting Authentication and Server profiles.

Auth-profile.GIF

Authentication Sequence

Device > Authenticate Sequence

Snapshot depicts Radius as primary authentication, first fallback as LDAP and second fallback as Local Database.

  • Radius > Fallback to LDAP > Fallback to Local
  • Lockout Time : Number of minutes that a user is locked out if the number of failed attempts is reached (0-60 minutes, default 0). 0 means that the lockout is in effect until it is manually unlocked.
  • Failed Attempts : Number of failed login attempts that are allowed before the account is locked out (1-10, default 0). 0 means that there is no limit.

Auth-sequnce.GIF

Authentication Sequence for Firewall Administrator

Device > Administrators

  • Create Administrator with Authentication Profile = Authentication Sequence profile.
  • Choose Role-Dynamic-SuperUser.

Administrator.GIF

Authentication Sequence for Captive-Portal Authentication

Device > User Identification > Captive Portal Settings

  • Select Authentication-Sequence as a Authentication Profile.

Captive-Portal.GIF

owner: akawimandan



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEbCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language