Configure an Authentication Profile and Sequence (2023)

Previous
Next

An authentication profile defines the authenticationservice that validates the login credentials of administrators whoaccess the firewall web interface and end users who access applicationsthrough Authentication Portal or GlobalProtect. The service canbe LocalAuthentication that the firewall provides or ExternalAuthentication Services. The authentication profile alsodefines options such as Kerberos singlesign-on (SSO).

Some networks have multiple databases (suchas TACACS+ and LDAP) for different users and user groups. To authenticateusers in such cases, configure an authentication sequence—aranked order of authentication profiles that the firewall matchesa user against during login. The firewall checks against each profilein sequence until one successfully authenticates the user. A useris denied access only if authentication fails for all the profilesin the sequence. The sequence can specify authentication profilesthat are based on any authentication service that the firewall supportsexcepts Multi-FactorAuthentication (MFA) and SAML.

  1. (

    External service only

    ) Enable the firewallto connect to an external server for authenticating users:

    1. Set up the external server. Refer to yourserver documentation for instructions.

    2. Configure a server profile for the type of authenticationservice you use.

      • Adda RADIUS server profile.

      If the firewallintegrates with an MFA service through RADIUS, you must add a RADIUSserver profile. In this case, the MFA service provides all the authentication factors.If the firewall integrates with an MFA service through a vendorAPI, you can still use a RADIUS server profile for the first factorbut MFA server profiles are required for additional factors.

      • Addan MFA server profile.

      • Adda SAML IdP server profile.

      • Adda Kerberos server profile.

      • Adda TACACS+ server profile.

      • Addan LDAP server profile.

  2. (

    (Video) Palo Alto New User, Admin Role, Authentication Profile and Authentication Sequence Configurations

    Local database authentication only

    ) Configurea user database that is local to the firewall.

    Perform these steps for each user and user group for whichyou want to configure LocalAuthentication based on a user identity store that is localto the firewall:

  3. (

    Kerberos SSO only

    ) Create a Kerberos keytabfor the firewall if Kerberos single sign-on (SSO) is the primaryauthentication service.

    Createa Kerberos keytab. A keytab is a file that contains Kerberosaccount information for the firewall. To support Kerberos SSO, yournetwork must have a Kerberos infrastructure.

  4. Configure anauthentication profile.

    Define one or both of the following:

    • KerberosSSO

      —The firewall first tries SSO authentication. If that fails,it falls back to the specified authentication

      Type

      .
    • External authentication or local database authentication

      —Thefirewall prompts the user to enter login credentials, and uses anexternal service or local database to authenticate the user.
    1. Select

      Device

      Authentication Profile

      and

      Add

      theauthentication profile.

    2. Enter a

      Name

      to identify theauthentication profile.

    3. Select the

      Type

      of authenticationservice.

      • If you use Multi-FactorAuthentication, the selected type applies only to the firstauthentication factor. You select services for additional MFA factors inthe

        Factors

        tab.
        (Video) Authentication Sequence - Interpreting BPA Checks - Devices

      • If you select

        RADIUS

        ,

        TACACS+

        ,

        LDAP

        ,or

        Kerberos

        , select the

        Server Profile

        .

      • If you select

        LDAP

        , select the

        ServerProfile

        and define the

        Login Attribute

        .For Active Directory, enter

        sAMAccountName

        asthe value.

      • If you select

        SAML

        , select the

        IdPServer Profile

        .

      • If you select

        Cloud Authentication Service

        ,configure a Cloud Identity Engine instance to communicate with thefirewall. For more information on the Cloud Identity Engine, seethe Cloud Identity Engine GettingStarted guide.

    4. If you want to enable Kerberos SSO, enter the

      KerberosRealm

      (usually the DNS domain of the users, except thatthe realm is UPPERCASE) and

      Import

      the

      KerberosKeytab

      that you created for the firewall or Panorama.

    5. (

      MFA only

      ) Select

      Factors

      ,

      EnableAdditional Authentication Factors

      , and

      Add

      theMFA server profiles you configured.

      The firewall will invoke each MFA service in the listedorder, from top to bottom.

    6. Select

      Advanced

      and

      Add

      theusers and groups that can authenticate with this profile.

      You can select users and groups from the local databaseor, if you configured the firewall to MapUsers to Groups, from an LDAP-based directory service suchas Active Directory. By default, the list is empty, meaning no userscan authenticate.

      You can also select customgroups defined in a group mapping configuration.

    7. (

      Optional

      ) To modify the user informationbefore the firewall sends the authentication request to the server,configure a

      Username Modifier

      .
      (Video) Webinar: WLAN User Access and Authentication

      • %USERDOMAIN%\%USERINPUT%

        —Ifthe source does not include the domain (for example, it uses thesAMAccountName), the firewall adds the

        User Domain

        youspecify before the username. If the source includes the domain,the firewall replaces that domain with the

        User Domain

        . Ifthe

        User Domain

        is empty, the firewall removesthe domain from the user information that the firewall receivesfrom source before the firewall sends the request to the authenticationserver.

        Because LDAP servers do not support backslashes inthe sAMAccountName, do not use this option to authenticate withan LDAP server.

      • %USERINPUT%

        —(Default) The firewall sendsthe user information to the authentication server in the formatit receives from the source.

      • %USERINPUT%@%USERDOMAIN%

        —If the sourcedoes not include the domain, the firewall adds the

        UserDomain

        value after the username. If the source includesdomain, the firewall replaces that domain with the

        UserDomain

        value. If the

        User Domain

        isempty, the firewall removes the domain from the user informationthat the firewall receives from the source before the firewall sendsthe request to the authentication server.

      • None

        —If you manually enter

        None

        :
        • For LDAP and Kerberos server profiles, the firewall usesthe domain it receives from the source to select the appropriateauthentication profile, then removes the domain when it sends theauthentication request to the server. This allows you to includethe

          User Domain

          during the authenticationsequence but remove the domain before the firewall sends the authenticationrequest to the server. For example, if you are using an LDAP serverprofile and the samAccountName as the attribute, use this optionso that the firewall does not send the domain to the authenticationserver that expects only a username and not a domain.

        • For RADIUS server profiles:

        • For local databases, TACACS+, and SAML, the firewall sendsthe user information to the authentication server in the formatit receives from the source.

    8. Click

      OK

      to save the authenticationprofile.

  5. Configure an authentication sequence.

    Required if you want the firewall to try multiple authenticationprofiles to authenticate users. The firewall evaluates the profilesin top-to-bottom order until one profile successfully authenticatesthe user.

    1. Select

      Device

      Authentication Sequence

      and

      Add

      the authenticationsequence.
      (Video) 7. Palo Alto GlobalProtect Authentication Sequence for failover and Portal vs Gateways Explanation

    2. Enter a

      Name

      to identify theauthentication sequence.

      To expedite the authenticationprocess,

      Use domain to determine authentication profile

      :the firewall matches the domain name that a user enters during loginwith the

      User Domain

      or

      KerberosRealm

      of an authentication profile in the sequence,and then uses that profile to authenticate the user. If the firewalldoes not find a match, or if you disable the option, the firewalltries the profiles in the top-to-bottom sequence.

    3. Add

      each authentication profile.To change the evaluation order of the profiles, select a profileand

      Move Up

      or

      Move Down

      .

    4. Click

      OK

      to save the authenticationsequence.

  6. Assign the authentication profile or sequence to an administrativeaccount for firewall administrators or to Authentication policyfor end users.

    • Administrators

      —Assign the authentication profilebased on how you manager administrator authorization:

      Authorizationmanaged locally on the firewall—Configurea Firewall Administrator Account.

      Authorization managedon a SAML, TACACS+, or RADIUS server—Select

      Device

      Setup

      Management

      ,edit the Authentication Settings, and select the

      AuthenticationProfile

      .

    • End users

      —For thefull procedure to configure authentication for end users, see ConfigureAuthentication Policy.
  7. Verify that the firewall can TestAuthentication Server Connectivity to authenticate users.

"); adBlockNotification.append($("Thanks for visiting https://docs.paloaltonetworks.com. To improve your experience when accessing content across our site, please add the domain to the allow list on your ad blocker application.")); let adBlockNotificationClose = $("x"); adBlockNotification.prepend(adBlockNotificationClose) $('body').append(adBlockNotification); setTimeout(function(e) { adBlockNotification.addClass('open'); }, 10); adBlockNotificationClose.on('click', function(e) { adBlockNotification.removeClass('open'); }) } }, 5000)

Previous
Next

FAQs

What is an authentication profile? ›

An authentication profile is a set of third-party configuration properties, which are assigned to a connection profile or HTTP access service. These properties control how clients are authenticated. Messaging connections, such as short message service (SMS) MNCs, do not use connection profiles.

What is authentication sequence? ›

UAs get service from an IMS core after registering at least one IMPU. To become registered, the UA sends REGISTER requests to the IMS core, which then attempts to authenticate the UA. The first device to receive the REGISTER at the core is a P-CSCF, such as the Oracle USM.

What is the use of authentication profile in Paloalto firewall? ›

It allows only two local Admin accounts and the rest should be external to pass the check. The two local admin accounts help as backup accounts to access management if the external authentication fails or not available temporarily.

What is authentication profile in PEGA? ›

Authentication profiles are used to manage the security of communication with other applications. Authentication profiles in Pega are referred to on connector and service rules to secure the communication.

What are the three 3 main types of authentication techniques? ›

There are three basic types of authentication. The first is knowledge-based — something like a password or PIN code that only the identified user would know. The second is property-based, meaning the user possesses an access card, key, key fob or authorized device unique to them. The third is biologically based.

What are the 4 common authentication methods? ›

The most common authentication methods are Password Authentication Protocol (PAP), Authentication Token, Symmetric-Key Authentication, and Biometric Authentication.

What is an authentication example? ›

In authentication, the user or computer has to prove its identity to the server or client. Usually, authentication by a server entails the use of a user name and password. Other ways to authenticate can be through cards, retina scans, voice recognition, and fingerprints.

What is basic authentication example? ›

Basic authentication is easy to define. In the global securityDefinitions section, add an entry with type: basic and an arbitrary name (in this example - basicAuth). Then, apply security to the whole API or specific operations by using the security section.

What are the 5 authentication factors? ›

The five main authentication factor categories are knowledge factors, possession factors, inherence factors, location factors, and behavior factors.

How do I set up authentication profile in Palo Alto? ›

  1. Configure an On-Premises Active Directory. Install the Cloud Identity Agent. Configure the Cloud Identity Agent. Authenticate the Agent and the Cloud Identity Engine.
  2. Configure a Cloud-Based Directory. Configure Azure Active Directory. Deploy Client Credential Flow for Azure Active Directory. Reconnect Azure Active Directory.
17 Nov 2022

How do I authenticate a firewall? ›

Certificate authentication

With most firewalls you can use a public signed certificate or a self signed certificate for firewall authentication. If a firewall is public facing to anyone from the outside world it should be setup with a publicly recognisable certificate to authenticate itself to anonymous users.

How do I test my LDAP authentication in Palo Alto? ›

How to Troubleshoot LDAP Authentication - Knowledge Base - Palo Alto Networks.
...
Steps
  1. Check the LDAP server profile: # show shared server-profile ldap. ...
  2. Check authd.log. ...
  3. Check Service Routes.

Which are the 3 ways of authenticating user identity? ›

5 Common Authentication Types
  • Password-based authentication. Passwords are the most common methods of authentication. ...
  • Multi-factor authentication. ...
  • Certificate-based authentication. ...
  • Biometric authentication. ...
  • Token-based authentication.

How do I create an authenticated user? ›

The process is fairly simple; users input their credentials on the website's login form. That information is then sent to the authentication server where the information is compared with all the user credentials on file. When a match is found, the system will authenticate users and grant them access to their accounts.

How do you authenticate two factors? ›

Allow 2-Step Verification
  1. Open your Google Account.
  2. In the navigation panel, select Security.
  3. Under “Signing in to Google,” select 2-Step Verification. Get started.
  4. Follow the on-screen steps.

What is the best authentication method? ›

Our top 5 authentication methods
  • Biometric Authentication Methods. Biometric authentication relies on the unique biological traits of a user in order to verify their identity. ...
  • QR Code. ...
  • SMS OTP. ...
  • Push Notification Authentication Method. ...
  • Behavioral Authentication Method.

What is basic authentication method? ›

Basic Authentication is a method for an HTTP user agent (e.g., a web browser) to provide a username and password when making a request. When employing Basic Authentication, users include an encoded string in the Authorization header of each request they make.

What is the most basic form of authentication? ›

Authenticating a user with a user ID and a password is usually considered the most basic type of authentication, and it depends on the user knowing two pieces of information -- the user ID or username, and the password.

What is different type of authentication? ›

Common types of biometrics include the following: Fingerprint scanning verifies authentication based on a user's fingerprints. Facial recognition uses the person's facial characteristics for verification. Iris recognition scans the user's eye with infrared to compare patterns against a saved profile.

What is Type 4 authentication? ›

Four-factor authentication (4FA) is the use of four types of identity-confirming credentials, typically categorized as knowledge, possession, inherence and location factors. Four-factor authentication is a newer security paradigm than two-factor or three-factor authentication.

Is a password an example of authentication? ›

Password authentication falls into the "what you know" category and is the most common form of authentication. Every time you've signed up for a website, you've likely been asked to create a username and password.

Where can I find my Authentication Code? ›

  1. On your Android device, go to your Google Account.
  2. At the top, tap Security.
  3. Under "Signing in to Google," tap 2-Step Verification. You may need to sign in.
  4. Under "Available second steps," find "Authenticator app" and tap Change Phone.
  5. Follow the on-screen steps.

What is an example of an authentication question? ›

Some examples of good authentication questions are: What are the last five digits of my Visa card number? What are the last five digits of my Social Insurance Number?

How do I pass username and password in basic authentication? ›

We can do HTTP basic authentication URL with @ in password. We have to pass the credentials appended with the URL. The username and password must be added with the format − https://username:password@URL.

What is an example of an authentication server? ›

Different types of authentication servers

RADIUS is one of the most commonly used authentication methods. Terminal Access Controller Access Control System Plus (TACACS+) is similar to RADIUS but is used with Unix networks. RADIUS employs User Datagram Protocol, and TACACS+ employs TCP.

What are the 3 ways of 2 factor authentication? ›

Understanding Two-Factor Authentication (2FA)
  • Something you know (your password)
  • Something you have (such as a text with a code sent to your smartphone or other device, or a smartphone authenticator app)
  • Something you are (biometrics using your fingerprint, face, or retina)

How do I get the auth code for Palo Alto? ›

Any PAN-OS. Palo Alto Firewall.
...
Click the Agree and Submit button to accept the end user license agreement (EULA).
  1. In the Device License window, select Activate Auth Code.
  2. Click Activate Trial License.
  3. Select the trial licenses to activate.
  4. Click on the Agree and Submit button to accept the EULA and activate the trials.
2 May 2022

What is the default username and password for Palo Alto firewall? ›

default credentials username=admin password=admin are not working.

How do I configure Windows authentication? ›

On the taskbar, click Start, and then click Control Panel. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off. Expand Internet Information Services, then World Wide Web Services, then Security. Select Windows Authentication, and then click OK.

How do I authenticate an IP address? ›

IP Address Authentication
  1. Click the Authentication Tab. From the drop-down lists on the toolbar, select the site you want to work with.
  2. Click the IP Address Sub-Tab.
  3. Click the Add IP Address Link. From the drop-down list, select the Group ID.
  4. In the IP Address field, enter your new IP address. ...
  5. Click Submit.

What is authentication configuration? ›

The Authentication Configuration Tool provides a graphical interface for configuring user information retrieval from NIS, LDAP, and Hesiod servers. This tool also allows you to configure LDAP, Kerberos, and SMB as authentication protocols.

How do I authenticate a network connection? ›

In the Windows Settings window, double-click on the Network & Internet icon. In the Status window, double-click on Change adapter options. Right-click on your Ethernet adapter and select Properties. On the Ethernet Properties window that opens, select the Authentication tab.

How do I know if LDAP authentication is working? ›

Procedure
  1. Click System > System Security.
  2. Click Test LDAP authentication settings.
  3. Test the LDAP user name search filter. ...
  4. Test the LDAP group name search filter. ...
  5. Test the LDAP membership (user name) to make sure that the query syntax is correct and that LDAP user group role inheritance works properly.

What is the default password for LDAP? ›

A new LDAP connection with this tool is created via “New Connection …” from the Connections view. Enter your connection data in the first step … … and in the next step, enter the admin DN uid=admin,ou=system and the current password (default is “secret”).

Which of the following is an example of type 3 authentication? ›

Type 3 – Something You Are – includes any part of the human body that can be offered for verification, such as fingerprints, palm scanning, facial recognition, retina scans, iris scans, and voice verification.

What are the two steps in authentication process? ›

The first step is usually a traditional password, while the second step can be any form of authentication that usually relies on something the user has, such as one-time passwords (OTPs), key fobs that generate tokens, fingerprint scanners, or just push notifications sent to mobile devices.

What is a two-factor authentication give example why is it important? ›

Two-factor authentication means that whatever application or service you're logging in to is double-checking that the request is really coming from you by confirming the login with you through a separate venue. You've probably used 2FA before, even if you weren't aware of it.

What is an example of user authentication? ›

Examples include codes generated from the user's smartphone, Captcha tests, fingerprints, voice biometrics or facial recognition. MFA authentication methods and technologies increase the confidence of users by adding multiple layers of security.

How do I authenticate my account? ›

Set up Authenticator
  1. On your Android device, go to your Google Account.
  2. At the top, tap the Security tab. If at first you don't get the Security tab, swipe through all tabs until you find it.
  3. Under "Signing in to Google," tap 2-Step Verification. ...
  4. Under "Authenticator app," tap Set up. ...
  5. Follow the on-screen steps.

What is the purpose of the MAC Auth profile? ›

MAC-based authentication is often used to authenticate and allow network access through certain devices while denying access to the rest. For example, if clients are allowed access to the network via station A, then one method of authenticating station A is MAC-based.

What is an example of 3 factor authentication? ›

This category includes the scope of biometrics such as retina scans, iris scans, fingerprint scans, finger vein scans, facial recognition, voice recognition, hand geometry and even earlobe geometry.

What type of authentication is a username and a password? ›

1. Password-based authentication. Also known as knowledge-based authentication, password-based authentication relies on a username and password or PIN. The most common authentication method, anyone who has logged in to a computer knows how to use a password.

How do I find my 6 digit authentication code? ›

You need to install the Google Authenticator app on your smart phone or tablet devices. It generates a six-digit number, which changes every 30 seconds. With the app, you don't have to wait a few seconds to receive a text message.

How do I fix authentication problem? ›

How to Fix the Android Wi-Fi Authentication Problem
  1. Reset Wi-Fi Connection. ...
  2. Turn on Airplane Mode and Turn It off. ...
  3. Fix the Android Wi-Fi Authentication Problem with DroidKit. ...
  4. Change from DHCP to Static. ...
  5. Restart the Router. ...
  6. Use WPS Push Button. ...
  7. Change Security Protocol. ...
  8. Check the Maximum Devices Supported.
27 Oct 2022

What does it mean to authenticate a user? ›

User authentication verifies the identity of a user attempting to gain access to a network or computing resource by authorizing a human-to-machine transfer of credentials during interactions on a network to confirm a user's authenticity.

How do I get rid of authentication required on my MAC? ›

On Mac:
  1. Sign in to your account at the Apple login page from any computer and browser. ...
  2. In the Security section, click Edit.
  3. Locate the Two-Factor Authentication section that says the feature is On and click to Turn Off Two-Factor Authentication, then click again to verify.
6 May 2022

How do I stop MAC from asking for authentication? ›

How to stop having to log in to your Mac every time
  1. Go to  > System Preferences.
  2. Select Security & Privacy.
  3. Click the General tab.
  4. Uncheck the option that says Require password [X time] after sleep or screen saver begins. ...
  5. Enter your Mac's password if asked.
10 Oct 2022

Videos

1. How to Configure Authentication Profile with MD5 & Plain Text | Pan OS 10.1| OSPF Protocol 😃👍😃
(Advance Technology by Rana)
2. Configure Active Directory authentication (User-ID) in the Palo Alto
(Ed Goad)
3. EMEA PCNSE 2021 Session #2 - Deploy & Configure
(PCNSE)
4. INE Live Webinar: DOT1X and MAB
(INEtraining)
5. PCNSE Prep Topic: Authentication & Authorization for Device Administration
(Palo Alto Networks LIVEcommunity)
6. Best Practices for GlobalProtect deployment authentication and HIP
(Palo Alto Networks LIVEcommunity)
Top Articles
Latest Posts
Article information

Author: Patricia Veum II

Last Updated: 01/09/2023

Views: 6049

Rating: 4.3 / 5 (44 voted)

Reviews: 91% of readers found this page helpful

Author information

Name: Patricia Veum II

Birthday: 1994-12-16

Address: 2064 Little Summit, Goldieton, MS 97651-0862

Phone: +6873952696715

Job: Principal Officer

Hobby: Rafting, Cabaret, Candle making, Jigsaw puzzles, Inline skating, Magic, Graffiti

Introduction: My name is Patricia Veum II, I am a vast, combative, smiling, famous, inexpensive, zealous, sparkling person who loves writing and wants to share my knowledge and understanding with you.