The managed Panorama platform helps firewall admins manage many devices. In cases of managed security services, Palo Alto Networks devices can be isolated from one another. There is an option on Panorama to divide the device in Access Domains. The access domain specifies the domains for administrator access to the firewalls. It is linked to a VSA (Vendor-specific Attributes) RADIUS attribute to authenticate the users.
Separating different devices in different Access Domains is a good idea when multiple administrators have the option to log on the Panorama and manage their devices. This includes full access rights to Templates and the Device Groups for managed devices in the Access Domain.
In this example configuration there will be 2 access domains to separate the devices. A RADIUS profile will be created, which will give access to only one access domain.
The configuration is done on a Panorama and a Windows RADIUS server, but the same principle is valid for a Palo Alto Networks M-100 device and any RADIUS server.
Note: The user needs to be logged in as superuser on the Panorama and as Full administrator on the windows server.
Create a Radius Server Profile.Under Panorama > Server Profiles > RADIUS, create the profile that will be used for authentication for the Panorama administrators:
Create the Authentication Profile. Under Panorama > Authentication Profiles, create the RADIUS authentication profile:
Go to the RADIUS as an Authentication Profile that needs to be used. Under Panorama > Setup > Management > Authentication Setting, select the created RADIUS Authentication Profile.
Under Panorama > Access Domain, create the Access Domain: Chose the Device Groups, Templates, and Physical Devices and/or vsys you would like to include in this Access Domain:
Create the Admin Role. Under Panorama > Admin Roles, create an admin role that will have the desired admin rights. Note: Select "Device Group and Template" as a Role.
Create the Policy on the Windows RADIUS Server.
Under NPS > Policies > Network Policies, create a policy to grant access to the user.
In the policy, add the conditions and constrains if needed.
In the policy proporties, under the settings tab, under the Vendor Specific, create the needed attributes for the authorization: -use the Vendor atribute code: 25461 -for the VSA number 3, use the 3K_admin -for the VSA number 4, use the 3K_access_domain
Verify the setup.
In the authd.log, users logging in with the appropriate access domain and role are visible: