topic Re: Tacacs+ Cisco ISE config in General Topics

Tacacs+ Cisco ISE config

MarioMarquez — Sat, 15 Sep 2018 20:21:43 GMT

Does anyone know how to configure the cisco ISE side? We can use tacacs now to access the gui but only local usernames and passwords work when trying to access the CLI using SSH. Does anyone have a complete cisco ISE setup? I found a guide to set up palo alto on the cisco ACS platform but ACS is end of life.

Re: Tacacs+ Cisco ISE config

rmfalconer — Thu, 27 Sep 2018 23:53:31 GMT

What are the settings in your admin role? Do they include CLI?

Re: Tacacs+ Cisco ISE config

alok47 — Thu, 04 Apr 2019 20:58:15 GMT

I just got TACACS+ working with my ISE deployment. Here are the steps:

1) Configure your PA Firewall following these steps: https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/authentication/configure-tacacs-authentication

***Important Note #1: In step 4 of this document it specifies a role. You can use a prebuilt or a custom role, but it is critical you note the name in order to for ISE to reference the VSA configuration in your shell profile.

2) I had already configured TACACS+ device administration on my ISE deployment, so check the admin guide for those directions.

3) Add the PA firewall as a network resource on ISE. Configure, IP, name pre-shared key, and check the TACACS+ as the protocol. Create any Network Device Groups for reference in the policy.

4) Create a Palo Alto custom TACACS profile. Reference this document: https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/authentication/authentication-types/tacacs.html#

For Custom Attributes you’ll need to make the type ‘MANDATORY’, use the requisite name in the document above and the Value is whatever role you specified in the note in step one on the PANOS > Device > Admin Roles.

So an example of this would be:

TACACS Profile Custom Attribute

‘MANDATORY’ - ‘PaloAlto-Admin-Role’ - <insert firewall defined custom or default Admin Role>

5) Create a policy set that references your group of PA firewalls under conditions of the policy. Choose your identity source for authentication. For authorization, set your conditions and reference the shell profile in step 4.

This allowed me to authenticate using AD via ISE TACACS+ based on existing identities in ISE and roles set on the Palo Alto Firewall.

Re: Tacacs+ Cisco ISE config

SajidMasood — Fri, 19 Jun 2020 16:27:10 GMT

I also need to integrate PA with TACACS ISE. in our network ISE is integrated with AD. And Admin groups are defined there in AD. In PA i created admin role i.e Custom admin Role. i called the AD Groups in palo alto. But user are failed to authenticate.

Re: Tacacs+ Cisco ISE config

rmfalconer — Mon, 22 Jun 2020 17:02:33 GMT

I kind of have this working, CLI works but GUI doesn't fully.
The PA configuration part is pretty straightforward. I've never gotten anything to work without having 'all' in the allow list in the auth profile.
For ISE, you need to create a custom Shell profile and create the necessary custom attribute that defines the role you want to assign on the PA.
The list of attributes is here: https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/authentication/authentication-types/tacacs.html#
So you could create a Shell profile with customer attrib of Type=MANDATORY, Name=PaloAlto-Admin-Role, Value=Superuser
Then create your authorization policy with your PA definitions and your AD group as conditions and apply the custom shell profile.

When I do this, an account not defined in the Administrators tab is able to log in to the CLI and do all Superuser tasks. For the GUI, the same logon shows successful in the PA logs but I just get sent back to the login page, no GUI access.
If I create the account in the Administrators tab and apply the specific tacacs policy to them, then everything works.

I've been meaning to open a ticket with TAC to address the GUI issue but haven't gotten to it yet. If I learn something from them, I'll update here.

Re: Tacacs+ Cisco ISE config

rmfalconer — Fri, 10 Jul 2020 17:40:57 GMT

I believe I have this working as expected now. The accounts we're using are not defined locally on the firewall, they just exist in AD.

When creating the Shell profile in ISE, I had to use 3 mandatory custom attributes:

service = PaloAlto

protocol = firewall

PaloAlto-Admin-Role = superuser (or whatever custom admin role you want to define on the firewall)

I have the tacacs authentication profile set in the authentication settings.

Re: Tacacs+ Cisco ISE config

sureshvina — Thu, 11 Nov 2021 08:25:58 GMT

I managed to get this work and documented the whole process if anybody was interested.

https://www.packetswitch.co.uk/configure-palo-alto-tacacs-authentication-against-cisco-ise/

Re: Tacacs+ Cisco ISE config

tony.pshenichnykh — Fri, 08 Apr 2022 22:54:59 GMT

I followed your article and can't passed authentication in policy set using activate directory.

22064 authentication method is not supported by any applicable identity store(s)

Re: Tacacs+ Cisco ISE config

AK74 — Thu, 13 Oct 2022 08:55:42 GMT

Hi there,

So, do you have to create the accounts and defined them locally on the firewall to get it work ?

Re: Tacacs+ Cisco ISE config

tony.pshenichnykh — Thu, 13 Oct 2022 14:58:58 GMT

Look at chart below, this is for Cisco ISE. Palo Alto only supports CHAP or PAP for authentication via RADIUS or TACACS+. In the chart, where it shows CHAP. ISE doesn't support LDAP. To answer your question, if you want to use TACACS then yes you would have to create accounts locally on ISE, but if you are already doing that then might as well create accounts locally on the Palo's with Authentication Profile to LDAP.

Protocol (Authentication Type)

Internal Database

Active Directory

LDAP

RADIUS Token Server or RSA

REST

ODBC

EAP-GTC, PAP (plain text password)

Yes

MS-CHAP password hash:

MSCHAPv1/v2

EAP-MSCHAPv2 (as inner method of PEAP, EAP-FAST, EAP-TTLS or TEAP)

LEAP

Yes

EAP-MD5

CHAP

Yes

EAP-TLS

PEAP-TLS

(certificate retrieval)

Note

For TLS authentications (EAP-TLS and PEAP-TLS), identity sources are not required but can optionally be added for authorization policy conditions.

Yes

Re: Tacacs+ Cisco ISE config

sureshvina — Thu, 13 Oct 2022 15:37:44 GMT

No, you don't have to create the accounts locally on the firewall. You don't even need to use local accounts on the ISE as you can join AD to the ISE and then use the AD credentials to log in to the firewall. Are you having any issues?

Re: Tacacs+ Cisco ISE config

tony.pshenichnykh — Thu, 13 Oct 2022 15:59:26 GMT

You can do that only if you are using PAP, but that will not work with CHAP.

Re: Tacacs+ Cisco ISE config

sureshvina — Fri, 14 Oct 2022 08:29:43 GMT

I've used CHAP in this example - https://www.packetswitch.co.uk/configure-palo-alto-tacacs-authentication-against-cisco-ise/

(Step - 1 of the blog post)

Re: Tacacs+ Cisco ISE config

AK74 — Wed, 19 Oct 2022 08:49:47 GMT

Why can't we use CHAP instead of PAP as it more secure ?

Re: Tacacs+ Cisco ISE config

Englersa — Wed, 19 Oct 2022 10:30:20 GMT

This article is truly astounding. Appreciative for sharing.A commitment of appreciation is all together for the association, keep on sharing such an information.

Re: Tacacs+ Cisco ISE config

tony.pshenichnykh — Wed, 19 Oct 2022 14:20:18 GMT

Again, it really depends on what you are trying to do. If it's using ISE for TACAS and authenticate via AD then CHAP will not work. I have provided chart above in this article why it will not work.

If you are going to create local accounts on ISE then CHAP will work fine.
A lot of folks if you haven't noticed yet in their TACACS articles are using CHAP, yes, but they create accounts locally. No one mentions that AD for authentication using CHAP is not supported in ISE.

Re: Tacacs+ Cisco ISE config

tony.pshenichnykh — Wed, 19 Oct 2022 14:25:05 GMT

Article shows using CHAP but accounts are locally created in ISE? It doesn't show using AD for authentication.

Re: Tacacs+ Cisco ISE config

sureshvina — Wed, 19 Oct 2022 14:25:47 GMT

Oh yes, you are right. I remember configuring CHAP with AD and it didn't work so, had to revert back to PAP. CHAP will only work if you have local-ISE accounts.

Re: Tacacs+ Cisco ISE config

tony.pshenichnykh — Wed, 19 Oct 2022 14:29:15 GMT

This is why CHAP will not work. I will repost the chart from previous page. This is supported by ISE. Palo Alto needs to more options in TACACS than just PAP/CHAP, and honestly I don't think PAP should even be an option.

Protocol (Authentication Type)

Internal Database

Active Directory

LDAP

RADIUS Token Server or RSA

REST

ODBC

EAP-GTC, PAP (plain text password)

Yes

MS-CHAP password hash:

MSCHAPv1/v2

EAP-MSCHAPv2 (as inner method of PEAP, EAP-FAST, EAP-TTLS or TEAP)

LEAP

Yes

EAP-MD5

CHAP

Yes

EAP-TLS

PEAP-TLS

(certificate retrieval)

Note

For TLS authentications (EAP-TLS and PEAP-TLS), identity sources are not required but can optionally be added for authorization policy conditions.

Yes

Re: Tacacs+ Cisco ISE config

Murph — Wed, 15 Mar 2023 16:13:08 GMT

I currently have this issue, Authenticatoin and Authorization passes in ISE and I can see the VSA String in the Response from ISE but I get not Authorized at the PAN GUI, anyone have luck in getting this resolved