topic Re: RADIUS authentication and multi-vsys configuration in General Topics

RADIUS authentication and multi-vsys configuration

Kalemegdan — Mon, 07 Dec 2015 17:10:04 GMT

Hello,

i have a pair of 5020, with multi-vsys environment and i want to be able to separate admin access based on vsys and read-only/read write access. I successfully configured following admin access scenario, using external RADIUS server:

separate read-only user access to all vsys

separate read-only user access to only one vsys

separate read-write user access to all vsys

separate read-write user access to only one vsys.

These are all working fine; the question is:

when i login as read-only single vsys user, the following behavior is as expected: ACC shows only one vsys, Monitor tab shows only one vsys, Policy tab shows only one vsys, etc but Network tab shows interface for all vsys instead of just for vsys I have read-only access; virtual routers shows all vrs not just related to one vsys, BUT the zones shows only zones related to one vsys. My question is: with scenario when read-only user has access to only one vsys, is it possible to show interfaces related to that vsys ONLY?

Thanks for your feedback..

Re: RADIUS authentication and multi-vsys configuration

jpeters — Wed, 09 Dec 2015 08:39:24 GMT

Hi unfortunately this is currently not a supported feature. However since they are read only users they would not be able to make any changes even if they can see them. Also, with your read-write users there isn't a way to only allow them access to change interfaces within their specific vsys either. Access domains and RADIUS are the only way it is possible to have the scenario where a user can only view logs, ACC, policies etc... for their Vsys only and the network interface info as well.

You may want to consider using a vsys based admin role instead of a device based admin role. It would remove the ability for these users to see the network interfaces, vlans, VRs, network profiles etc... altogether while still showing the zones and global protect info per vsys.

Re: RADIUS authentication and multi-vsys configuration

Kalemegdan — Wed, 09 Dec 2015 19:13:12 GMT

Hi, thanks for your feedback.

Unfortunatelly if i change firewall based admin role for Virtual system, in Web UI tab interface, in Network section only zones and Global protect are available for selection of enable, readonly or disable. Admin role for Device does have all tabls available under Network subsection so i think i might need to infor customer that there is no way to hide interface tab.

Re: RADIUS authentication and multi-vsys configuration

jpeters — Thu, 10 Dec 2015 03:10:59 GMT

Yes currently there is now way to hide it or rather limit the network pages by vsys. Would be a great feature for a future release. Recommend reaching out to your SE and suggest it as a feature request.