Palo Alto Networks started supporting Tacacs with the release of PAN-OS 7.0. This document explains the steps to configure Tacacs authentication on Palo Alto Networks firewall with read-only and read-write access privileges using Cisco ACS server.
Environment
Palo Alto Firewall.
Any PAN-OS.
TACACS configuration.
Resolution
Create a Tacacs server profile add server information. If a secondary backup Tacacs server is available, add it as well (GUI: Device > Server Profiles > Tacacs+)
Create an authentication profile and use the Tacacs server profile that you created earlier (GUI: Device > Authentication Profile).
By default, we have 3 admin roles (GUI: Device > Admin Roles).
auditadmin
cryptoadmin
securityadmin
In this example, securityadmin role is used for READ_WRITE access and the read-Only Role created in step4 is used for read only access.
Create another admin role with limited access. In this example, read-Only role is created with policies, objects, networks, and devices are disabled. (GUI: Device > Admin Roles)
Administrators must be individually defined because currently only Radius is supported for non-local admin authentication, such as VSAs. Note: After PAN-OS 8.0 and moving forward, you no longer need to create admins locally, just the admin roles. (GUI: Device > Administrators)
On the Cisco ACS server create a list of usernames that are defined on the Palo Alto Networks locally.
Create a shell profile with these details: Attribute: Cisco-av-pair Requirement: Mandatory Value: shell:priv-lvl=15
Create an Authorization Policy and apply the shell profile created earlier.
Here are the successful Passed authentication logs from ACS server.
Additional Information
To troubleshoot, use the test command to check if the authentication is working.
> test authentication authentication-profile ACS username <name> password
Related system logs:
CLI provides the related logs in the authd.log file. This can be displayed using CLI: less mp-log authd.log.