About External Authentication for the Cloud-Delivered Firewall Management Center

When you enable external authentication, the Cloud-Delivered Firewall Management Center verifies the user credentials with an LDAP or RADIUS server as specified in an external authentication object.

You can configure multiple external authentication objects for web interface access. For example, if you have 5 external authentication objects, users from any of them can be authenticated to access the web interface. You can use only one external authentication object for CLI access. If you have more than one external authentication object enabled, then users can authenticate using only the first object in the list.

For the Cloud-Delivered Firewall Management Center, enable the external authentication objects directly on the Administration > Users > External Authentication tab; this setting only affects Cloud-Delivered Firewall Management Center usage, and it does not need to be enabled on this tab for managed device usage. For Firewall Threat Defense devices, you must enable the external authentication object in the platform settings that you deploy to the devices.

Web interface users are defined separately from CLI users in the external authentication object. For CLI users on RADIUS, you must pre-configure the list of RADIUS usernames in the external authentication object. For LDAP, you can specify a filter to match CLI users on the LDAP server.

Note	Users with CLI access can gain Linux shell access with the expert command. Linux shell users can obtain root privileges, which can present a security risk. Make sure that you: Restrict the list of users with CLI or Linux shell access. Do not create Linux shell users.