Palo Alto Networks Management Access through TACACS
81761
Created On 09/25/18 17:36 PM - Last Modified 04/21/20 00:46 AM
Symptom
Prior to PAN-OS 8.0, TACACS was limited to Authentication Only. If you wanted to authenticate against a TACACS server to log in to the web interface or CLI, you had to create the same admin accounts on the Palo Alto Networks device. This doesn't scale well and it's additional overhead, especially in large or dynamic environments. Hence, with the launch of PAN-OS 8.0, TACACS has been enhanced to use the Authorization from the TACACS server.
Resolution
You no longer need to create admins locally, just the admin roles. Follow the below steps to achieve this.
STEP 1: Create a TACACS server profile and an Authentication profile. Then, add this profile in the Authentication settings.
STEP 2: Create admin roles as per your requirement.
STEP 3: TACACS server side-configuration is next. I used Cisco ACS in this example.
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/authentication/authentication-types/tacacs
STEP 4: If everything is configured correctly, you should see successful logins.
Troubleshooting
– You can also check the connectivity, authentication and the attributes passed, with this test command:
admin@anuragFW> test authentication authentication-profile TACauth username TACsuperuser password Enter password : Target vsys is not specified, user "TACsuperuser" is assumed to be configured with a shared auth profile. Do allow list check before sending out authentication request... name "TACsuperuser" is in group "all" Authentication to TACACS+ server at '10.21.56.103' for user 'TACsuperuser' Server port: 49, timeout: 3, flag: 0 Egress: 10.21.56.125 Attempting PAP authentication ... PAP authentication request is created PAP authentication request is sent Authorization request is created Authorization request sent with priv_lvl=1 user=TACsuperuser service=PaloAlto protocol=firewall Authorization succeeded Number of VSA returned: 1 VSA[0]: PaloAlto-Admin-Role=superuser Authentication succeeded! Authentication succeeded for user "TACsuperuser"
Sometimes the issue is on the server side, so check the logs on the TACACS server too. If you need to decrypt the TACACS packets to view the content, you can decrypt it on Wireshark.
Additional Information
In the example above, I only used the attribute for granting admin access on the firewall. There are other attributes, however, available for you to implement different access on the firewall and Panorama.
Please refer to TACACS attributes.
RADIUS can also provide the same functionality, should you choose RADIUS over TACACS. Please refer to RADIUS with Windows NPS or RADIUS with ACS