https://live.paloaltonetworks.com/t5/general-topics/2-factor-authentication-for-admin-login/m-p/249017#M70841 <P>Correct, this is supported in 8.1.</P><P>See the updated page:&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/device/device-server-profiles-multi-factor-authentication" target="_blank">https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/device/device-server-profiles-multi-factor-authentication</A></P><P>&nbsp;</P><P><SPAN>For the following authentication use cases, the firewall integrates with multi-factor authentication (MFA) vendors using RADIUS and SAML:</SPAN></P><UL><LI><DIV class="p">Remote user authentication through GlobalProtect™ portals and gateways.</DIV></LI><LI><DIV class="p"><STRONG>Administrator authentication in the PAN-OS and Panorama™ web interface.</STRONG></DIV></LI><LI><DIV class="p">Authentication through Authentication policy.</DIV></LI></UL> Wed, 06 Feb 2019 14:32:36 GMT ksalustro 2019-02-06T14:32:36Z https://live.paloaltonetworks.com/t5/general-topics/2-factor-authentication-for-admin-login/m-p/226782#M65289 <P>HI all</P><P>&nbsp;</P><P>This is likely to have been asked before, but a search of the Live! forums didn't turn up anything relevant</P><P>As part of security best practices in my organisation, I'm looking to enable 2FA (via DUO) on the&nbsp;admin web interface</P><P>&nbsp;</P><P>I have the instructions for adding 2FA to user browsing via Captive Portal, and for adding 2FA to GlobalProtect connections, but there doesn't seem to be anything for the admin interface. I noticed on <A href="https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-help/device/device-server-profiles-multi-factor-authentication" target="_self">this page</A> it says "<SPAN>The firewall supports MFA only for end users, not firewall administrators".</SPAN></P><P>&nbsp;</P><P><SPAN>I just wanted to check with anyone that can confirm, is that a universal rule for PAN-OS (as of 8.0)? </SPAN></P><P><SPAN>There is no support for 2FA on the admin login at present?</SPAN></P><P>&nbsp;</P><P><SPAN>Thinking about the&nbsp;flow of an admin login, I'm not sure I can see how it would work.&nbsp;You can't really&nbsp;use source &amp; dest objects to specify the admin interface when defining an Authentication Policy, to my knowledge. But if this can be done, I'd appreciate any instructions</SPAN></P><P>&nbsp;</P><P><SPAN>I'm using a PA-220 on PAN-OS 8.1.2, with administrator logins stored in Active Directory and an&nbsp;LDAP-based Authentication Profile to secure logins.</SPAN></P><P>&nbsp;</P><P><SPAN>Thanks</SPAN></P> Sat, 11 Aug 2018 04:07:06 GMT https://live.paloaltonetworks.com/t5/general-topics/2-factor-authentication-for-admin-login/m-p/226782#M65289 Retired Member 2018-08-11T04:07:06Z https://live.paloaltonetworks.com/t5/general-topics/2-factor-authentication-for-admin-login/m-p/226798#M65293 <P>Hi @Retired Member</P><P>&nbsp;</P><P>As far as I know MFA with the PAN-OS integrated MFA provider this isn't possible. Only with RADIUS or SAML it is possible to secure the adminlogin with a multi factor authentication.</P><P>&nbsp;</P><P>Regards,</P><P>Remo</P> Sat, 11 Aug 2018 09:28:41 GMT https://live.paloaltonetworks.com/t5/general-topics/2-factor-authentication-for-admin-login/m-p/226798#M65293 Remo 2018-08-11T09:28:41Z https://live.paloaltonetworks.com/t5/general-topics/2-factor-authentication-for-admin-login/m-p/226800#M65295 <P>Thanks.</P><P>&nbsp;</P><P>Duo has a <A href="https://duo.com/docs/radius" target="_self">proxy application</A>&nbsp;that can be installed on-prem, act as a RADIUS server for authentication and lookup to our Active Directory. I'll give this a go and see if it works as a 2FA solution for admin login.&nbsp;</P> Sat, 11 Aug 2018 11:44:14 GMT https://live.paloaltonetworks.com/t5/general-topics/2-factor-authentication-for-admin-login/m-p/226800#M65295 Retired Member 2018-08-11T11:44:14Z https://live.paloaltonetworks.com/t5/general-topics/2-factor-authentication-for-admin-login/m-p/249017#M70841 <P>Correct, this is supported in 8.1.</P><P>See the updated page:&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/device/device-server-profiles-multi-factor-authentication" target="_blank">https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/device/device-server-profiles-multi-factor-authentication</A></P><P>&nbsp;</P><P><SPAN>For the following authentication use cases, the firewall integrates with multi-factor authentication (MFA) vendors using RADIUS and SAML:</SPAN></P><UL><LI><DIV class="p">Remote user authentication through GlobalProtect™ portals and gateways.</DIV></LI><LI><DIV class="p"><STRONG>Administrator authentication in the PAN-OS and Panorama™ web interface.</STRONG></DIV></LI><LI><DIV class="p">Authentication through Authentication policy.</DIV></LI></UL> Wed, 06 Feb 2019 14:32:36 GMT https://live.paloaltonetworks.com/t5/general-topics/2-factor-authentication-for-admin-login/m-p/249017#M70841 ksalustro 2019-02-06T14:32:36Z