topic Re: Group Based Administrator Account in General Topics

Group Based Administrator Account

SubaMuthuram — Fri, 18 Feb 2022 12:05:53 GMT

Hi,

Is there any option in Palo Alto, To create a single administrative account for a user group fetched from RADIUS.

Re: Group Based Administrator Account

BPry — Fri, 18 Feb 2022 15:41:33 GMT

@SubaMuthuram,

This isn't an option available on the firewall. You can't tie a group to a single account

Re: Group Based Administrator Account

SubaMuthuram — Fri, 18 Feb 2022 15:48:57 GMT

Hi BPry,

Can we use RADIUS auth profile. So from a single administrative account we can use a group to login to the firewall. So we no need to create individual admin account for each users.

Re: Group Based Administrator Account

aleksandar.astardzhiev — Fri, 18 Feb 2022 15:57:21 GMT

Hi @SubaMuthuram ,

Let me check if I understand your question correctly - you want to group of users to authenticate and use the same username for administrating the firewall?

This doesn't look like good idea... It is best practise to have personal administrative accounts. This way you always know who, do what when. If you plan to have multiple users login to firewall with same account, why complicating and using RADIUS, just create local superadmin and put the password on peace of paper and gave it to the users (sorry, being sarcastic).

If I haven't understand your question and you actually want to allow which users are allowed to connect to firewall admin, based on group membership. Yes, that can be configured

I would you suggest to check this link - https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-authentication.html you see which protocol support both external authentication and authorization (meaning you don't have to create account on the firewall)

From there you can check how to setup RADIUS for admin login https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/authentication/configure-radius-authentication.html#id01590369-93b6-48be-8928-eac0ade51d5d

Re: Group Based Administrator Account

SubaMuthuram — Fri, 18 Feb 2022 19:30:08 GMT

HI @aleksandar.astardzhiev ,

This is what I was looking for,

From there you can check how to setup RADIUS for admin login https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/authentication/configure-radius-authentic...