topic Admin authentication using RADIUS without local accounts in General Topics

Admin authentication using RADIUS without local accounts

lwheelock — Wed, 25 Jan 2012 19:25:09 GMT

Hi All,

I ran across a strange issue when provisioning a new Administrator on our team. The background is that we use Cisco ACS 5.1 as our RADIUS authentication for our PA firewalls. All of the correct VSAs are input and appropriate Authorization Policies created for Firewalls and Panorama. We do not use local accounts, and instead rely on ACS to do authorization, which keeps things centralized.

However, I noticed that after I had provisioned this new admin account on ACS the user was not able to successfully authenticate via SSH to the PA firewall. After quite a bit of testing and troubleshooting I ultimately determined that if you do not first authenticate to the firewall via Web UI, you cannot authenticate via SSH. Very odd I thought.

If anyone else can attempt to replicate this issue, please let me know. It's a simple enough work around so nothing critical but I found it curious.

Affected verisons I could test:

3.1.5

4.0.1

4.0.7

Re: Admin authentication using RADIUS without local accounts

jdelio — Wed, 25 Jan 2012 22:23:07 GMT

Thanks for the question..

It would appear that this has been reported before..

We have a bug where "out-of-device" admin accounts require a webUI logon first before the SSH logon works. This is because when you configure admin user on PAN, it also creates a home directory for that user. If you have defined an admin on Radius only, then PAN does not have that user's corresponding home directory. In that case first-time login via SSH fails because there is no home directory. When you first login via webUI it will create that home directory for subsequent SSH logons.

The workaround for this is to configure admins on PAN itself via the Device->Administrators tab for admins that would only have CLI access. At present, this bug has not resolved.

This might be fixed soon in a future release, but we do not know as of yet when that will be.

If you are having issues where locally configured administrators are having to logon via the webUI first, then please call into PAN support for a live troubleshooting session.

Kind Regards.

Re: Admin authentication using RADIUS without local accounts

jdelio — Tue, 30 Jul 2013 19:14:36 GMT

Update:

This issue has come up in 5.0.1, and is resolved in 5.0.5 and 5.1.1.

Ref case 120090

Re: Admin authentication using RADIUS without local accounts

lwheelock — Mon, 05 Aug 2013 18:56:24 GMT

Tested in 5.0.6 and it is still an issue.

Re: Admin authentication using RADIUS without local accounts

jdelio — Mon, 05 Aug 2013 19:37:14 GMT

Thanks for the update.. Please allow me to clarify..

on your FW device, you have an admin role as:

test2-admin-role {

role {

device {

cli superreader;

webui {

Or you need Panorama to push down an admin role also.

Please confirm.

Re: Admin authentication using RADIUS without local accounts

lwheelock — Mon, 05 Aug 2013 20:36:18 GMT

No such admin role. Admin role is sent via VSA in RADIUS accept message.

Re: Admin authentication using RADIUS without local accounts

mbutt — Tue, 06 Aug 2013 06:35:14 GMT

It is a bug 32363 which has been previously reported. However the bug will be fixed in next Major release. So it is not in 5.0.x.

Hope this helps.

Thanks

Re: Admin authentication using RADIUS without local accounts

JohnPetrucci — Mon, 14 Jul 2014 20:43:18 GMT

See also: bug ID 59031 / https://live.paloaltonetworks.com/docs/DOC-6773