Using ACS with PA

Not applicable

Using ACS with PA


So, I'm looking to use ACS as a means for authentication for accessing our single PA device.  I found this doc ( which has the configuration as well as the dictionary file.  I guess I just have a few questions:

1.  Do I need to create it with all those groups?  As in, are those groups only directly significant with how I configure the access in the Palo Alto device?  (Could I rename them as I would like or do the names carry specificity?)  I see there is one specifically Panorama, etc.


L0 Member

Re: Using ACS with PA


to configure ACS auth you need to know how VSA Attribuites mapping works.

Basically, every PAN VSA attribute matches with a PAN device Admin Role/Access Domain or Panorama Admin Role/Access Domain. These objects are under Device tab of your device GUI and must have the same name defined inside ACS forms, as shown in ACS20.png in the link you provided.

Of course, you can change "testrole" "testgroup" name in whatever you want :-). Until you feel confident with ACS and PAN I suggest you to insert All "Allo Users List" in PAN device and don't configure the PaloAlto-User-Group VSA attribute.

You can find furhter information and doc about ACS configuration inside the KP.


Not applicable

Re: Using ACS with PA

I could be missing something, but I don't see any of the mention VSA's anywhere in my device...

L3 Networker

Re: Using ACS with PA


Please reference the following KP article regarding VSA's:

The section towards the bottom references Cisco ACS. As far as the device (assuming you are referring to the Palo Alto), VSA's are 'Vendor Specific Attributes'. The dictionary file that you've imported onto the ACS will add these attributes, allowing you to assign specific roles upon successful authentication/group assignment, i.e. Device Admin, Panorama Admin, etc...

As far as the groups, you can select all or select individual groups. (either option will not hurt or affect configuration). Selecting all allows you to assign single/multiple PaloAlto attributes when the group profile is created/modified. (the options are not enabled or assigned to the group profile unless you select them), i.e. [25461\001] PaloAlto-Admin-Role will assign authenticated users an Admin role for access to the Palo Alto Appliance. If you add additional attribute [25461\003] PaloAlto-Panorama-Admin-Role to this group, this would allow you to utilize a single group, where users can logon to both the Appliance & Panorama as an Administrator. (though you can always create separate groups for Panorama Admins & Device Admins).

These attributes cannot be renamed.



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!