2-Factor Authentication for Admin Login

L2 Linker

2-Factor Authentication for Admin Login

HI all


This is likely to have been asked before, but a search of the Live! forums didn't turn up anything relevant

As part of security best practices in my organisation, I'm looking to enable 2FA (via DUO) on the admin web interface


I have the instructions for adding 2FA to user browsing via Captive Portal, and for adding 2FA to GlobalProtect connections, but there doesn't seem to be anything for the admin interface. I noticed on this page it says "The firewall supports MFA only for end users, not firewall administrators".


I just wanted to check with anyone that can confirm, is that a universal rule for PAN-OS (as of 8.0)?

There is no support for 2FA on the admin login at present?


Thinking about the flow of an admin login, I'm not sure I can see how it would work. You can't really use source & dest objects to specify the admin interface when defining an Authentication Policy, to my knowledge. But if this can be done, I'd appreciate any instructions


I'm using a PA-220 on PAN-OS 8.1.2, with administrator logins stored in Active Directory and an LDAP-based Authentication Profile to secure logins.



L7 Applicator

Re: 2-Factor Authentication for Admin Login

Hi @sam_miller


As far as I know MFA with the PAN-OS integrated MFA provider this isn't possible. Only with RADIUS or SAML it is possible to secure the adminlogin with a multi factor authentication.




L2 Linker

Re: 2-Factor Authentication for Admin Login



Duo has a proxy application that can be installed on-prem, act as a RADIUS server for authentication and lookup to our Active Directory. I'll give this a go and see if it works as a 2FA solution for admin login. 

L2 Linker

Re: 2-Factor Authentication for Admin Login

Correct, this is supported in 8.1.

See the updated page: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/device/device-server-profiles...


For the following authentication use cases, the firewall integrates with multi-factor authentication (MFA) vendors using RADIUS and SAML:

  • Remote user authentication through GlobalProtect™ portals and gateways.
  • Administrator authentication in the PAN-OS and Panorama™ web interface.
  • Authentication through Authentication policy.
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!