Palo Alto Networks Authentication Sequence

Overview

In environments where user accounts reside in multiple directories (such as LDAP, RADIUS, or local databases), Palo Alto Networks' PAN-OS allows the configuration of an authentication sequence . This sequence is a prioritized list of authentication profiles that the firewall attempts in order until a user is successfully authenticated or all profiles have been tried.

How Authentication Sequence Works

1. The firewall receives a login attempt from a user.
2. It begins checking the authentication profiles in the sequence, starting from the top.
3. For each profile:
   • If the authentication attempt is successful, the user is granted access, and the sequence stops.
   • If the authentication attempt fails (e.g., due to incorrect credentials), the firewall proceeds to the next profile in the sequence.
4. If all profiles in the sequence fail to authenticate the user, access is denied.

This mechanism ensures that users can be authenticated against multiple sources, providing flexibility and redundancy in authentication methods.

Example Scenario

Consider an authentication sequence with the following profiles:

1. LDAP Profile : Authenticates users against an LDAP directory.
2. RADIUS Profile : Authenticates users via a RADIUS server.
3. Local Database Profile : Authenticates users against the firewall's local user database.

When a user attempts to log in:

• The firewall first tries the LDAP Profile. If the user exists in LDAP and provides correct credentials, authentication succeeds.
• If the LDAP authentication fails (e.g., user not found or wrong password), the firewall tries the RADIUS Profile.
• If RADIUS authentication also fails, the firewall attempts authentication against the Local Database Profile.
• If all three profiles fail to authenticate the user, access is denied.

Configuration Tips

• Arrange authentication profiles in the sequence based on priority and reliability. For example, place external authentication methods (like LDAP or RADIUS) before local authentication.
• Ensure that each authentication profile is correctly configured and tested individually before adding it to a sequence.
• Regularly review and update the authentication sequence to accommodate changes in your authentication infrastructure.

References

• Configure an Authentication Profile and Sequence