2-Factor Authentication for Admin Login

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

2-Factor Authentication for Admin Login

L2 Linker

HI all

 

This is likely to have been asked before, but a search of the Live! forums didn't turn up anything relevant

As part of security best practices in my organisation, I'm looking to enable 2FA (via DUO) on the admin web interface

 

I have the instructions for adding 2FA to user browsing via Captive Portal, and for adding 2FA to GlobalProtect connections, but there doesn't seem to be anything for the admin interface. I noticed on this page it says "The firewall supports MFA only for end users, not firewall administrators".

 

I just wanted to check with anyone that can confirm, is that a universal rule for PAN-OS (as of 8.0)?

There is no support for 2FA on the admin login at present?

 

Thinking about the flow of an admin login, I'm not sure I can see how it would work. You can't really use source & dest objects to specify the admin interface when defining an Authentication Policy, to my knowledge. But if this can be done, I'd appreciate any instructions

 

I'm using a PA-220 on PAN-OS 8.1.2, with administrator logins stored in Active Directory and an LDAP-based Authentication Profile to secure logins.

 

Thanks

2 accepted solutions

Accepted Solutions

L7 Applicator

Hi @sam_miller

 

As far as I know MFA with the PAN-OS integrated MFA provider this isn't possible. Only with RADIUS or SAML it is possible to secure the adminlogin with a multi factor authentication.

 

Regards,

Remo

View solution in original post

Correct, this is supported in 8.1.

See the updated page: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/device/device-server-profiles...

 

For the following authentication use cases, the firewall integrates with multi-factor authentication (MFA) vendors using RADIUS and SAML:

  • Remote user authentication through GlobalProtect™ portals and gateways.
  • Administrator authentication in the PAN-OS and Panorama™ web interface.
  • Authentication through Authentication policy.

View solution in original post

3 REPLIES 3

L7 Applicator

Hi @sam_miller

 

As far as I know MFA with the PAN-OS integrated MFA provider this isn't possible. Only with RADIUS or SAML it is possible to secure the adminlogin with a multi factor authentication.

 

Regards,

Remo

Thanks.

 

Duo has a proxy application that can be installed on-prem, act as a RADIUS server for authentication and lookup to our Active Directory. I'll give this a go and see if it works as a 2FA solution for admin login. 

Correct, this is supported in 8.1.

See the updated page: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/device/device-server-profiles...

 

For the following authentication use cases, the firewall integrates with multi-factor authentication (MFA) vendors using RADIUS and SAML:

  • Remote user authentication through GlobalProtect™ portals and gateways.
  • Administrator authentication in the PAN-OS and Panorama™ web interface.
  • Authentication through Authentication policy.
  • 2 accepted solutions
  • 11636 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!