08-03-2011 06:01 AM
Greetings,
So, I'm looking to use ACS as a means for authentication for accessing our single PA device. I found this doc (https://live.paloaltonetworks.com/docs/DOC-1472) which has the configuration as well as the dictionary file. I guess I just have a few questions:
1. Do I need to create it with all those groups? As in, are those groups only directly significant with how I configure the access in the Palo Alto device? (Could I rename them as I would like or do the names carry specificity?) I see there is one specifically Panorama, etc.
Thanks!
08-03-2011 07:47 AM
Hi,
to configure ACS auth you need to know how VSA Attribuites mapping works.
Basically, every PAN VSA attribute matches with a PAN device Admin Role/Access Domain or Panorama Admin Role/Access Domain. These objects are under Device tab of your device GUI and must have the same name defined inside ACS forms, as shown in ACS20.png in the link you provided.
Of course, you can change "testrole" "testgroup" name in whatever you want :-). Until you feel confident with ACS and PAN I suggest you to insert All "Allo Users List" in PAN device and don't configure the PaloAlto-User-Group VSA attribute.
You can find furhter information and doc about ACS configuration inside the KP.
Bye
08-03-2011 08:03 AM
I could be missing something, but I don't see any of the mention VSA's anywhere in my device...
08-03-2011 10:12 AM
Hello,
Please reference the following KP article regarding VSA's:
https://live.paloaltonetworks.com/docs/DOC-1765
The section towards the bottom references Cisco ACS. As far as the device (assuming you are referring to the Palo Alto), VSA's are 'Vendor Specific Attributes'. The dictionary file that you've imported onto the ACS will add these attributes, allowing you to assign specific roles upon successful authentication/group assignment, i.e. Device Admin, Panorama Admin, etc...
As far as the groups, you can select all or select individual groups. (either option will not hurt or affect configuration). Selecting all allows you to assign single/multiple PaloAlto attributes when the group profile is created/modified. (the options are not enabled or assigned to the group profile unless you select them), i.e. [25461\001] PaloAlto-Admin-Role will assign authenticated users an Admin role for access to the Palo Alto Appliance. If you add additional attribute [25461\003] PaloAlto-Panorama-Admin-Role to this group, this would allow you to utilize a single group, where users can logon to both the Appliance & Panorama as an Administrator. (though you can always create separate groups for Panorama Admins & Device Admins).
These attributes cannot be renamed.
Regards,
Bryan
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
