Palo Alto Networks Management Access through TACACS

by ansharma on ‎03-23-2017 07:33 AM - edited on ‎07-25-2017 09:02 AM by (22,422 Views)

Prior to PAN-OS 8.0,  TACACS was limited to Authentication only. If you wanted to authenticate against a TACACS server to log in to the GUI or CLI, you had to create the same admin accounts on the Palo Alto Networks device. This doesn't scale well and its additional overhead, especially in large or dynamic environments. Hence, with the launch of PAN-OS 8.0, TACACS has been enhanced to use the Authorization from the TACACS server.

 

You no longer need to create admins locally, just the admin roles.

 

Follow the below steps to achieve this.

 

1. Create  a TACACS server profile and an Authentication profile. Then, add this profile in the Authentication settings.

TACACSserverprofile.JPG

Authprofile.JPGTACauth.JPGCall the previously created authentication profile in this section

 

2. Create admin roles as per your requirement.

adminroles.JPGCustom role with limited accessmy_custom_role.JPGSample permissions for this custom role

3. TACACS server side-configuration is next. I used Cisco ACS in this example.

AdminsaccountsonACS.JPGTwo example users created an ACS.customusershellprofile.JPGThis attribute gives admin level privileges, as per the custom admin defined on PA, to a successfully authenticating admin user.superusershellprofile.JPGThis gives ‘superuser’ privileges to the user. However, you can replace the value to be any of the pre-defined values (or even a custom value, as illustrated above).rules.JPGTailor the rules to match the users with their respective shell profiles

4. If everything is configured correctly, you should see successful logins.TACsuperuserloggingin.JPGSuperuser has access to everythingTACcustomuserloggingin.JPGNotice the limited access for this custom usercombinedSystemlog.JPGSystem logs showing logins for both admins

 

Troubleshooting

 

  • The Palo Alto Networks firewall, by default, uses the management interface to communicate with the TACACS server. However, you can change this to any interface under Service route configuration ('Device' tab).

serviceroute.JPG

  • You can also check the connectivity, authentication and the attributes passed, via the test command:
admin@anuragFW> test authentication authentication-profile TACauth username TACsuperuser password
Enter password :

Target vsys is not specified, user "TACsuperuser" is assumed to be configured with a shared auth profile.

Do allow list check before sending out authentication request...
name "TACsuperuser" is in group "all"

Authentication to TACACS+ server at '10.21.56.103' for user 'TACsuperuser'
Server port: 49, timeout: 3, flag: 0
Egress: 10.21.56.125
Attempting PAP authentication ...
PAP authentication request is created
PAP authentication request is sent
Authorization request is created
Authorization request sent with priv_lvl=1 user=TACsuperuser service=PaloAlto protocol=firewall
Authorization succeeded
Number of VSA returned: 1
VSA[0]: PaloAlto-Admin-Role=superuser
Authentication succeeded!

Authentication succeeded for user "TACsuperuser"

 

  •  Sometimes the issue is on the server side, so check the logs on the TACACS server too.
  • If you need to decrypt the TACACS packets to view the content, you can decrypt it on Wireshark.

decrypt.JPGEnter the shared secret in the box

  •  It's always a good idea to check the authd.log file (ideally in debug mode) when you are troubleshooting authentication related issues.

 

Additional Info

 

  • In my example above, I only used the attribute for granting admin access on the firewall. There are other attributes, however, available for you to implement different access on the firewall and Panorama too. Please refer to TACACS attributes 
  • RADIUS can also provide the same functionality, should you choose RADIUS over TACACS. Please refer to RADIUS with Windows NPS or RADIUS with ACS

 

All the best!

Comments
by GregTaylor
on ‎07-06-2017 03:42 PM

If you are trying to use this method while connected to the firewall through the management interface, you will also need to set the Authentication Profile under Device > Setup > Management > Authentication Settings.

 

Device-Management-AuthenticationSettings.jpg

by ansharma
on ‎07-25-2017 09:42 AM

 

Thanks @GregTaylor for pointing it out. It's now been included in the steps. 


Regards,

Anurag

Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community