: Administrative Authentication
Focus
Focus

Administrative Authentication

Table of Contents
End-of-Life (EoL)

Administrative Authentication

You can configure the following types of authentication and authorization (Administrative Roles and Access Domains) for Panorama administrators:
Authentication Method
Authorization Method
Description
Local
Local
The administrative account credentials and authentication mechanisms are local to Panorama. You use Panorama to assign administrative roles and access domains to the accounts. To further secure the accounts, you can create a password profile that defines a validity period for passwords and set Panorama-wide password complexity settings. For details, see Configure Local or External Authentication for Panorama Administrators.
SSH Keys
Local
The administrative accounts are local to Panorama, but authentication to the CLI is based on SSH keys. You use Panorama to assign administrative roles and access domains to the accounts. For details, see Configure an Administrator with SSH Key-Based Authentication for the CLI.
Certificates
Local
The administrative accounts are local to Panorama, but authentication to the web interface is based on client certificates. You use Panorama to assign administrative roles and access domains to the accounts. For details, see Configure a Panorama Administrator with Certificate-Based Authentication for the Web Interface.
External service
Local
The administrative accounts you define locally on Panorama serve as references to the accounts defined on an external Multi-Factor Authentication, SAML, Kerberos, TACACS+, RADIUS, or LDAP server. The external server performs authentication. You use Panorama to assign administrative roles and access domains to the accounts. For details, see Configure Local or External Authentication for Panorama Administrators.
External
External service
The administrative accounts are defined only on an external SAML, TACACS+, or RADIUS server. The server performs both authentication and authorization. For authorization, you define Vendor-Specific Attributes (VSAs) on the TACACS+ or RADIUS server, or SAML attributes on the SAML server. Panorama maps the attributes to administrator roles and access domains that you define on Panorama. For details, see: