Authentication Features
Focus
Focus

Authentication Features

Table of Contents

Authentication Features

Learn more about new authentication features in PAN-OS 11.1, such as TACACS+ Accounting.

TACACS+ Accounting

November 2023
  • Introduced in PAN-OS 11.1.0
If you use a Terminal Access Controller Access-Control System Plus (TACACS+) server for user authorization and authentication, you can now log accounting information to fully make use of the authentication, authorization, and accounting (AAA) framework that is the basis for TACACS+.
The TACACS+ Accounting feature allows you to use a TACACS+ server profile to record user behavior, such as when a user started using a specific service, the duration of use for the service, and when they stopped using the service. The TACACS+ Accounting feature helps to create logs and records of the initiation and termination of services, as well as any services in progress during the user’s session, that you can then use later if needed for auditing purposes.
When you configure and enable an Accounting server profile, the TACACS+ server provides information to the firewall about the initiation, duration, and termination of services by users. The firewall also generates a log when the TACACS+ server successfully provides the accounting records to the server that you configure in the profile. If the firewall is unable to successfully send the accounting records to any of the servers in the profile, the firewall generates a critical severity alert to the system logs.
By using your existing TACACS+ server, you can now configure it to provide even more information about the use of services by users on your network, giving you even more robust visibility into user activity on your network.

Authentication Portal Support for IPv6 Redirect Host

May 2024
  • Introduced in PAN-OS 10.2.9
  • Available in PAN-OS 10.2.9, 11.1.3, and 11.2
If your Authentication Portal deployment uses redirect mode and Security Assertion Markup Language (SAML) or Lightweight Directory Access Protocol (LDAP) with multi-factor authentication (MFA), you can now use an IPV6 address for the domain name system (DNS) address (AAAA) record, as well as an IPv4 address.
This allows you to map an IPv6 address on the Layer 3 interface to the redirect host in addition to an IPv4 address (for example, to provide redundancy). By entering a CLI command, you can configure the fully qualified domain name (FQDN) of the redirect host as an IPv6 address. When the firewall starts an Authentication Portal session, it detects whether the FQDN of the host uses IPv4 or IPv6 when it creates the mapping for the user. With this capability, even if the user changes the traffic type from IPv4 to IPv6 during the same session, the firewall can still map the user correctly, ensuring that your user-based security policy is applied consistently throughout your network and across enforcement devices.
You can also use the CLI commands to view or remove the currently configured FQDN of the redirect host. To ensure that the Authentication Portal configuration is successful, make sure to add the required IPv6 address as a DNS attribute in the Subject Alternative Name (SAN) field for the certificate that you configure for your Authentication Portal deployment. This capability allows you to use different internet protocol versions, supporting even more options for your Authentication Portal deployment.