How to Configure Kerberos Authentication in PAN-OS 8.1
Environment
- PAN-OS 8.1
- Kerberos Authentication
Resolution
*For More Up To Date information see docs below
Set Up Kerberos Authentication PAN-OS 9.1
Configure Kerberos Server Authentication PAN-OS 10.2
Details
Configuring a Kerberos server allows users to authenticate natively to a domain controller. When the Kerberos settings are configured, Kerberos becomes available as an option when defining authentication profiles. Recommendations for configuring Kerberos are provided below:
DNS Entries
If using Active Directory, it is easiest to use the AD DNS server as the PAN firewall DNS server. DNS entries already exist on this server that are needed for Kerberos authentication. If this option is not possible, make sure the DNS server that the PAN is using has Service Location(SRV) DNS entries for _kerberos._tcp and _kerberos._udp.
As an example, if there is an Active Directory server named w2k3.pantac2.org, it will also need service location (SRV) entries for _kerberos._tcp.pantac2.org and _kerberos._udp.pantac2.org.
Below is an example from a linux server running the Bind9 DNS server:
srvce.prot.name ttl class rr pri weight port target
w2k3 IN A 10.30.14.132
_kerberos._tcp IN SRV 0 100 88 w2k3
_kerberos._udp IN SRV 0 100 88 w2k3
NTP Server
The time on both the Palo Alto Network device and the Kerberos server need to be synchronized within 5 minutes of each other. This is a security feature built into Kerberos. Both the device and the AD server should be configured to use a NTP server.
Device Configuration
Create the Kerberos Server profile. > Device Tab> Server Profiles > Kerberos:
Enter the name of the profile. For the user account name user@pantac2.org, the Realm (up to 127 characters) is the FQDN, “pantac2.org”. Enter the Domain for the user account (up to 63 characters).which in our example is "pantac2". For each server, click add and enter the Server name. Enter the server FQDN under Host, and enter an optional port number for communication with the server.
Create an Auth Profile >Device tab > Authentication Profile > New. Select Authentication “Kerberos” and be sure to select the Kerberos server configured. An example is shown below:
This Auth Profile can be used for SSL VPN, Captive Portal or Administrator logins. The above Auth profile was configured to allow all authentication requests to reach the AD server. Customizing the Auth Profile is possible by using AD groups to determine which users can send an authentication request to the AD server.
owner: rnitz