Exam PCNSE topic 1 question 231 discussion

FYI in 10.0 onward, "Captive Portal" is now called "Authentication Portal".

B is correct. Given the authentication using AD is already in place, we can safely assume that LDAP server profile is already in use. The MFA will be used as an additional/second authentication factor. Also, the question refers to PAN-OS MFA so it is again safe to assume it will use PAN-OS directly integrated vendors instead of using one through RADIUS.

I believe is C. because the authentication sequence can include multiple authentication methods, which is essential for implementing MFA.

Answer is D. To use MFA for protecting sensitive information, you must configure an Authentication Portal (Captive Portal) to display a web form. To enable additional factors, you can integrate with MFA vendors through RADIUS or vendor APIs. In most cases, and external service is recommended for the first authentication factor.

B and C are the same except that B offers more options for the authentication factors in the authentication profile. "Add a RADIUS server profile. This is required if the firewall integrates with an MFA vendor through RADIUS" since D is more granular, I go for D

Would the keyword here is "PAN-OS MFA"? I see the word from the following UR "For remote user authentication to GlobalProtect portals or gateways or for administrator authentication to the PAN-OS or Panorama web interface, you can only use MFA vendors supported through RADIUS or SAML" https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/authentication/configure-multi-factor-authentication#:~:text=you%20can%20only%20use%20MFA%20vendors%20supported%20through%20RADIUS%20or%20SAML

Option D To use Multi-Factor Authentication (MFA) for protecting sensitive services and applications, you must configure Authentication Portal to display a web form for the first authentication factor and to record Authentication Timestamps. The firewall uses the timestamps to evaluate the timeouts for Authentication Policy rules. To enable additional authentication factors, you can integrate the firewall with MFA vendors through RADIUS or vendor APIs.

i think B is closer

For end-user authentication via the Authentication policy, the firewall directly integrates with several MFA platforms (such as Duo v2, Okta Adaptive, PingID, and RSA SecurID) and integrates through RADIUS with other MFA platforms.

did anyone see this in the exam?

Answer B When we use PANOS MFA, the user will first authenticate with the authentication profile configured (Radius, SAML, Kerberos, TACACS+, LDAP), then an additional factor is configured in the same authentication profile, this factor is the MFA which is used by the Captive Portal.

B and D are both wrong -Authentication policies reference Authentication Enforcement policies directly, not Authentication profiles. However, if one of them has to be right, it's B. D is less right since RADIUS isn't the only MFA option.

D To use Multi-Factor Authentication (MFA) for protecting sensitive services and applications, you must configure Authentication Portal to display a web form for the first authentication factor and to record Authentication Timestamps. The firewall uses the timestamps to evaluate the timeouts for Authentication Policy rules. To enable additional authentication factors, you can integrate the firewall with MFA vendors through RADIUS or vendor APIs.

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/authentication/configure-multi-factor-authentication

To use Multi-Factor Authentication (MFA) for protecting sensitive services and applications, you must configure Captive Portal to display a web form for the first authentication factor and to record Authentication Timestamps. The firewall uses the timestamps to evaluate the timeouts for Authentication Policy rules. To enable additional authentication factors, you can integrate the firewall with MFA vendors through RADIUS or vendor APIs. After evaluating Authentication policy, the firewall evaluates Security policy, so you must configure rules for both policy types.

You should create an auth profile and use it in captive protal auth policy.

D sounds the most correct from this line in the link. To use Multi-Factor Authentication (MFA) for protecting sensitive services and applications, you must configure Captive Portal to display a web form for the first authentication factor and to record Authentication Timestamps. The firewall uses the timestamps to evaluate the timeouts for Authentication Policy rules. To enable additional authentication factors, you can integrate the firewall with MFA vendors through RADIUS or vendor APIs. After evaluating Authentication policy, the firewall evaluates Security policy, so you must configure rules for both policy types.