Palo Alto Networks Knowledgebase: Configuring Authentication with Fallback Options

Configuring Authentication with Fallback Options

Created On 08/05/19 19:57 PM - Last Updated 08/05/19 20:11 PM

This document describes the following configurations :

  • Authentication : RADIUS. LDAP and  LOCAL
  • Authenticate Profile : RADIUS, LDAP and  LOCAL
  • Authentication Sequence : RADIUS, fallback to LDAP, fallback to LOCAL
  • Using the Authentication Sequence for Firewall Administrator and Captive Portal

RADIUS Authentication

Device > Server-Profile > Radius

Configure the fields:

  • Domain name: RADIUS server domain
  • Server: Friendly Name identifying Server
  • IP address: Address of Server
  • Port-1812 (authentication)


Local User Authentication

Device > Local User Database > Users

  • Create a local user adding a password and enabling the user.

Local User-4.1-1.GIF

LDAP Authentication

Device > Server-Profile > LDAP

  • “Base” field represents the point in the LDAP tree where the firewall will connect to and begin the search for users and groups.
  • “Bind DN” field contains the user name credentials that the firewall uses to access the AD/ LDAP  server to be able to pull users and groups
  • SSL is checked by default and needs server port 636, make sure to uncheck SSL if port 389 is used
  • Domain: Needs to be the NETBIOS domain or leave blank and the system will pull the domain info. automatically


Authenticate Profile

Device > Authenticate Profile

  • Configure Authentication profile for Local, Radius and LDAP authentication by selecting Authentication and Server profiles.


Authentication Sequence

Device > Authenticate Sequence

Snapshot depicts Radius as primary authentication, first fallback as LDAP and second fallback as Local Database.

  • Radius > Fallback to LDAP > Fallback to Local
  • Lockout Time : Number of minutes that a user is locked out if the number of failed attempts is reached (0-60 minutes, default 0). 0 means that the lockout is in effect until it is manually unlocked.
  • Failed Attempts : Number of failed login attempts that are allowed before the account is locked out (1-10, default 0). 0 means that there is no limit.


Authentication Sequence for Firewall Administrator

Device > Administrators

  • Create Administrator with Authentication Profile = Authentication Sequence profile.
  • Choose Role-Dynamic-SuperUser.


Authentication Sequence for Captive-Portal Authentication

Device > User Identification > Captive Portal Settings

  • Select Authentication-Sequence as a Authentication Profile.


owner: akawimandan

  • Print
  • Copy Link

Choose Language