Configuring Authentication with Fallback Options

36390

Created On 09/25/18 17:18 PM - Last Modified 06/13/23 02:49 AM

PAN-OS

Resolution

This document describes the following configurations :

RADIUS Authentication

Device > Server-Profile > Radius

Configure the fields:

Radius-4.1-1.GIF

Local User Authentication

Device > Local User Database > Users

Local User-4.1-1.GIF

LDAP Authentication

Device > Server-Profile > LDAP

“Base” field represents the point in the LDAP tree where the firewall will connect to and begin the search for users and groups.
“Bind DN” field contains the user name credentials that the firewall uses to access the AD/ LDAP server to be able to pull users and groups
SSL is checked by default and needs server port 636, make sure to uncheck SSL if port 389 is used
Domain: Needs to be the NETBIOS domain or leave blank and the system will pull the domain info. automatically

LDAP-4.1.GIF

Authenticate Profile

Device > Authenticate Profile

Configure Authentication profile for Local, Radius and LDAP authentication by selecting Authentication and Server profiles.

Authentication Sequence

Device > Authenticate Sequence

Snapshot depicts Radius as primary authentication, first fallback as LDAP and second fallback as Local Database.

Radius > Fallback to LDAP > Fallback to Local
Lockout Time : Number of minutes that a user is locked out if the number of failed attempts is reached (0-60 minutes, default 0). 0 means that the lockout is in effect until it is manually unlocked.
Failed Attempts : Number of failed login attempts that are allowed before the account is locked out (1-10, default 0). 0 means that there is no limit.

Authentication Sequence for Firewall Administrator

Device > Administrators

Create Administrator with Authentication Profile = Authentication Sequence profile.
Choose Role-Dynamic-SuperUser.

Authentication Sequence for Captive-Portal Authentication

Device > User Identification > Captive Portal Settings

owner: akawimandan