Summary of the video if I may. Here Authentication and authorization of Firewall or Panorama admins are discussed, not the users. Two types of admins - listed and unlisted admins. Listed admins have admins username defined on the firewall. For listed admins credentials can be found in - config, local db or external db. For unlisted admin credentials including username found in external db w/ MFA optional. MFA vendors supported include Okta, PingID, Duo, & RSASecureID. For listed admins authorization specified using roles in Authentication profile whereas for unlisted admins authorization is done using Vendor Specific Attributes(VSA) supplied by the external DB. VSA should refer to a pre-defined role or access domain already configured on the firewall or a user or group in an authentication profile.
The Administrator account "dan" created on FW with LDAP auth profile - does not have to be called "dan" exactly right? If there's other AD users configured would they be able to login now using their own AD account via "dan" profile? Or does "dan" actually stand for the specific username?
Summary of the video if I may. Here Authentication and authorization of Firewall or Panorama admins are discussed, not the users. Two types of admins - listed and unlisted admins. Listed admins have admins username defined on the firewall. For listed admins credentials can be found in - config, local db or external db. For unlisted admin credentials including username found in external db w/ MFA optional. MFA vendors supported include Okta, PingID, Duo, & RSASecureID. For listed admins authorization specified using roles in Authentication profile whereas for unlisted admins authorization is done using Vendor Specific Attributes(VSA) supplied by the external DB. VSA should refer to a pre-defined role or access domain already configured on the firewall or a user or group in an authentication profile.
The Administrator account "dan" created on FW with LDAP auth profile - does not have to be called "dan" exactly right? If there's other AD users configured would they be able to login now using their own AD account via "dan" profile? Or does "dan" actually stand for the specific username?