: Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface

Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface

Table of Contents
End-of-Life (EoL)

Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface

As a more secure alternative to password-based authentication to the Panorama web interface, you can configure certificate-based authentication for administrator accounts that are local to Panorama. Certificate-based authentication involves the exchange and verification of a digital signature instead of a password.
Configuring certificate-based authentication for any administrator disables the username/password logins for all administrators on Panorama and all administrators thereafter require the certificate to log in.
  1. Generate a certificate authority (CA) certificate on Panorama.
    You will use this CA certificate to sign the client certificate of each administrator.
    Alternatively, you can import a certificate from your enterprise CA.
  2. Configure a certificate profile for securing access to the web interface.
    1. Select PanoramaCertificate ManagementCertificate Profile and click Add.
    2. Enter a Name for the certificate profile and set the Username Field to Subject.
    3. Select Add in the CA Certificates section and select the CA Certificate you just created.
    4. Click OK to save the profile.
  3. Configure Panorama to use the certificate profile for authenticating administrators.
    1. Select the PanoramaSetupManagement and edit the Authentication Settings.
    2. Select the Certificate Profile you just created and click OK.
  4. Configure the administrator accounts to use client certificate authentication.
    Configure a Panorama Administrator Account for each administrator who will access the Panorama web interface. Select the Use only client certificate authentication (Web) check box.
    If you have already deployed client certificates that your enterprise CA generated, skip to Step 8. Otherwise, continue with Step 5.
  5. Generate a client certificate for each administrator.
    Generate a certificate on Panorama. In the Signed By drop-down, select the CA certificate you created.
  6. Export the client certificates.
    1. Export the certificates.
    2. Select CommitCommit to Panorama and Commit your changes.
      Panorama restarts and terminates your login session. Thereafter, administrators can access the web interface only from client systems that have the client certificate you generated.
  7. Import the client certificate into the client system of each administrator who will access the web interface.
    Refer to your web browser documentation as needed to complete this step.
  8. Verify that administrators can access the web interface.
    1. Open the Panorama IP address in a browser on the computer that has the client certificate.
    2. When prompted, select the certificate you imported and click OK. The browser displays a certificate warning.
    3. Add the certificate to the browser exception list.
    4. Click Login. The web interface should appear without prompting you for a username or password.