- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-10-2018 09:07 PM
HI all
This is likely to have been asked before, but a search of the Live! forums didn't turn up anything relevant
As part of security best practices in my organisation, I'm looking to enable 2FA (via DUO) on the admin web interface
I have the instructions for adding 2FA to user browsing via Captive Portal, and for adding 2FA to GlobalProtect connections, but there doesn't seem to be anything for the admin interface. I noticed on this page it says "The firewall supports MFA only for end users, not firewall administrators".
I just wanted to check with anyone that can confirm, is that a universal rule for PAN-OS (as of 8.0)?
There is no support for 2FA on the admin login at present?
Thinking about the flow of an admin login, I'm not sure I can see how it would work. You can't really use source & dest objects to specify the admin interface when defining an Authentication Policy, to my knowledge. But if this can be done, I'd appreciate any instructions
I'm using a PA-220 on PAN-OS 8.1.2, with administrator logins stored in Active Directory and an LDAP-based Authentication Profile to secure logins.
Thanks
08-11-2018 02:28 AM
Hi @sam_miller
As far as I know MFA with the PAN-OS integrated MFA provider this isn't possible. Only with RADIUS or SAML it is possible to secure the adminlogin with a multi factor authentication.
Regards,
Remo
02-06-2019 06:31 AM - edited 02-06-2019 06:32 AM
Correct, this is supported in 8.1.
See the updated page: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/device/device-server-profiles...
For the following authentication use cases, the firewall integrates with multi-factor authentication (MFA) vendors using RADIUS and SAML:
08-11-2018 02:28 AM
Hi @sam_miller
As far as I know MFA with the PAN-OS integrated MFA provider this isn't possible. Only with RADIUS or SAML it is possible to secure the adminlogin with a multi factor authentication.
Regards,
Remo
08-11-2018 04:44 AM
Thanks.
Duo has a proxy application that can be installed on-prem, act as a RADIUS server for authentication and lookup to our Active Directory. I'll give this a go and see if it works as a 2FA solution for admin login.
02-06-2019 06:31 AM - edited 02-06-2019 06:32 AM
Correct, this is supported in 8.1.
See the updated page: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/device/device-server-profiles...
For the following authentication use cases, the firewall integrates with multi-factor authentication (MFA) vendors using RADIUS and SAML:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!