Review the multi-factor authentication (MFA) vendors with which Palo Alto Networks
Next-Generation Firewalls and Panorama™ appliances can integrate.
Palo Alto Networks Next-Generation Firewalls and Panorama™ appliances can integrate with
multi-factor authentication (MFA) vendors using RADIUS and SAML. Firewalls can
additionally integrate with specific MFA vendors using the API to enforce MFA through
Authentication policy.
Authentication Use Case
RADIUS (any vendor)
TACACS+ (any vendor)
SAML
(any vendor)
MFA Server Profile
Next-Generation Firewall and Panorama Administrator Web Interface
√
√
√
—
Next-Generation Firewall and Panorama Administrator CLI
√
√
—
—
GlobalProtect™ Portal and Gateway Authentication
√
√
√
—
Authentication Policy
(Formerly Captive Portal Policy)
√
√
√
√
Vendor / Min. Content Version *
RSA SecurID Access / 752
PingID / 655
Okta Adaptive / 655
Duo v2 / 655
* Palo Alto Networks provides support for MFA vendors through
Applications content updates, which means that if you use Panorama to push device
group configurations to firewalls, you must install the same Applications release
version on managed firewalls as you install on Panorama to avoid
mismatches in vendor support.
