Configure an Authentication Profile and Sequence

Overview

In PAN-OS 11.1, you can define authentication profiles and sequences to manage how users and administrators authenticate to the firewall. Authentication profiles specify the authentication service (e.g., LDAP, RADIUS, SAML, Kerberos, local database) and associated settings. Authentication sequences allow the firewall to attempt multiple authentication profiles in a specified order until one succeeds.

1. Configure Server Profiles

Set up server profiles for the authentication services you plan to use:

• RADIUS Server Profile: Required if integrating with an MFA service through RADIUS. The MFA service provides all authentication factors.
• MFA Server Profile: Required if integrating with an MFA service through a vendor API.
• SAML IdP Server Profile: For SAML-based authentication.
• Kerberos Server Profile: For Kerberos authentication.
• TACACS+ Server Profile: For TACACS+ authentication.
• LDAP Server Profile: For LDAP authentication.

2. Configure Local Database (Optional)

If using local authentication:

• Add user accounts to the local database.
• Optionally, add user groups to the local database.

3. Configure Kerberos SSO (Optional)

If using Kerberos single sign-on (SSO):

• Create a Kerberos keytab file containing the firewall's Kerberos account information.
• Ensure your network has a Kerberos infrastructure in place.

4. Configure an Authentication Profile

Steps to create an authentication profile:

1. Navigate to Device > Authentication Profile and click Add .
2. Enter a Name for the profile.
3. Select the Type of authentication service (e.g., LDAP, RADIUS, SAML, Kerberos, local database).
4. Configure the associated Server Profile and other settings based on the selected type.
5. If enabling Kerberos SSO, enter the Kerberos Realm and import the Kerberos Keytab .
6. For MFA, enable additional authentication factors and add the configured MFA server profiles.
7. Under the Advanced tab, specify the users and groups allowed to authenticate with this profile.
8. Optionally, configure a Username Modifier to adjust the username format before sending it to the authentication server.
9. Click OK to save the authentication profile.

5. Configure an Authentication Sequence

Steps to create an authentication sequence:

1. Navigate to Device > Authentication Sequence and click Add .
2. Enter a Name for the sequence.
3. Optionally, enable Exit on failed authentication to stop the sequence upon a failed attempt.
4. Optionally, enable Use domain to determine authentication profile to match the user's domain to an authentication profile.
5. Add the desired authentication profiles to the sequence and arrange them in the preferred order.
6. Click OK to save the authentication sequence.

6. Assign Authentication Profile or Sequence

Assign the configured authentication profile or sequence to:

• Administrators: Assign based on how you manage administrator authorization:
  • Local authorization: Configure a firewall administrator account.
  • External authorization (SAML, TACACS+, or RADIUS): Navigate to Device > Setup > Management , edit the Authentication Settings , and select the authentication profile.
• End Users: Assign through an authentication policy. Refer to the documentation on configuring authentication policies for end users.

7. Test Authentication Server Connectivity

After configuration, verify that the firewall can authenticate users by testing the authentication server connectivity.

References

• Configure an Authentication Profile and Sequence
• Configure Local Database Authentication
• Test Authentication Server Connectivity
• Configure Authentication Policy