How to configure Tacacs authentication with Palo Alto Networks firewall

How to configure Tacacs authentication with Palo Alto Networks firewall

78933
Created On 09/25/18 17:42 PM - Last Modified 03/27/21 02:11 AM


Symptom


Palo Alto Networks started supporting Tacacs with the release of PAN-OS 7.0. This document explains the steps to configure Tacacs authentication on Palo Alto Networks firewall with read-only and read-write access privileges using Cisco ACS server. 

Environment


  • Palo Alto Firewall.
  • Any PAN-OS.
  • TACACS configuration.

Resolution


 
  1. Create a Tacacs server profile add server information. If a secondary backup Tacacs server is available, add it as well (GUI: Device > Server Profiles > Tacacs+)
Tacacs Server Profile
 
  1. Create an authentication profile and use the Tacacs server profile that you created earlier (GUI: Device > Authentication Profile).
Authentication Profile

Authentication Profile - Advanced tab
  1. By default, we have 3 admin roles (GUI: Device > Admin Roles).
  • auditadmin
  • cryptoadmin
  • securityadmin
In this example, securityadmin role is used for READ_WRITE access and the read-Only Role created in step4 is used for read only access.
Admin Roles
 
  1. Create another admin role with limited access. In this example, read-Only role is created with policies, objects, networks, and devices are disabled. (GUI: Device > Admin Roles)
Read Only Profile
  1. Administrators must be individually defined because currently only Radius is supported for non-local admin authentication, such as VSAs. Note: After PAN-OS 8.0 and moving forward, you no longer need to create admins locally, just the admin roles. (GUI: Device > Administrators)
    Device Administrators
     
  2. On the Cisco ACS server create a list of usernames that are defined on the Palo Alto Networks locally.

  3. Create a shell profile with these details:
    Attribute: Cisco-av-pair
    Requirement: Mandatory
    Value: shell:priv-lvl=15

  4. Create an Authorization Policy and apply the shell profile created earlier.

  5. Here are the successful Passed authentication logs from ACS server.

 

 

 

Additional Information



To troubleshoot, use the test command to check if the authentication is working.

> test authentication authentication-profile ACS username <name> password



 Related system logs:



CLI provides the related logs in the authd.log file. This can be displayed using CLI: less mp-log authd.log.


 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIuCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language