Configuring Authentication with Fallback Options | Palo Alto Networks Live 3/22/15, 2:25 PM

All Places > Knowledge Base > Documents

Configuring Authentication with Fallback

Options Version 8

created by Ameya on Jul 23, 2012 7:05 PM, last modified by Ameya on Feb 7, 2014 9:21 AM

This document describes the following configurations :

Authentication : RADIUS. LDAP and LOCAL
Authenticate Profile : RADIUS, LDAP and LOCAL
Authentication Sequence : RADIUS, fallback to LDAP, fallback to LOCAL
Using the Authentication Sequence for Firewall Administrator and Captive Portal

RADIUS Authentication
Device > Server-Profile > Radius
Configure the fields:
Domain name: RADIUS server domain
Server: Friendly Name identifying Server
IP address: Address of Server
Port-1812 (authentication)

Local User Authentication

Device > Local User Database > Users
Create a local user adding a password and enabling the user.

https://live.paloaltonetworks.com/docs/DOC-3388 Page 1 of 5
Configuring Authentication with Fallback Options | Palo Alto Networks Live 3/22/15, 2:25 PM

LDAP Authentication
Device > Server-Profile > LDAP
Base field represents the point in the LDAP tree where the firewall will connect to and begin the search for
users and groups.
Bind DN field contains the user name credentials that the firewall uses to access the AD/ LDAP server to
be able to pull users and groups
SSL is checked by default and needs server port 636, make sure to uncheck SSL if port 389 is used
Domain: Needs to be the NETBIOS domain or leave blank and the system will pull the domain info.
automatically

Authenticate Profile
Device > Authenticate Profile

https://live.paloaltonetworks.com/docs/DOC-3388 Page 2 of 5
Configuring Authentication with Fallback Options | Palo Alto Networks Live 3/22/15, 2:25 PM

Configure Authentication profile for Local, Radius and LDAP authentication by selecting Authentication and
Server profiles.

Authentication Sequence
Device > Authenticate Sequence

Snapshot depicts Radius as primary authentication, first fallback as LDAP and second fallback as Local
Database.
Radius > Fallback to LDAP > Fallback to Local
Lockout Time : Number of minutes that a user is locked out if the number of failed attempts is reached (0-60
minutes, default 0). 0 means that the lockout is in eect until it is manually unlocked.
Failed Attempts : Number of failed login attempts that are allowed before the account is locked out (1-10,
default 0). 0 means that there is no limit.

Authentication Sequence for Firewall Administrator

Device > Administrators
Create Administrator with Authentication Profile = Authentication Sequence profile.
Choose Role-Dynamic-SuperUser.

https://live.paloaltonetworks.com/docs/DOC-3388 Page 3 of 5
Configuring Authentication with Fallback Options | Palo Alto Networks Live 3/22/15, 2:25 PM

Authentication Sequence for Captive-Portal Authentication

Device > User Identification > Captive Portal Settings

Select Authentication-Sequence as a Authentication Profile.

owner: akawimandan

2265 Views Categories: User-ID & Authentication

Tags: authentication, ldap, radius, user-id, configuration, local, authentication_profile

Average User Rating

(5 ratings)

2 Comments
https://live.paloaltonetworks.com/docs/DOC-3388 Page 4 of 5