Separate Panorama Admins Access Domains using RADIUS

Printer Friendly Page

Overview

The managed Panorama platform helps firewall admins manage many devices. In cases of managed security services, Palo Alto Networks devices can be isolated from one another. There is an option on Panorama to divide the device in Access Domains. The access domain specifies the domains for administrator access to the firewalls. It is linked to a VSA (Vendor-specific Attributes) RADIUS attribute to authenticate the users.


Separating different devices in different Access Domains is a good idea when multiple administrators have the option to log on the Panorama and manage their devices. This includes full access rights to Templates and the Device Groups for managed devices in the Access Domain.

Details

In this example configuration there will be 2 access domains to separate the devices. A RADIUS profile will be created, which will give access to only one access domain.

The configuration is done on a Panorama and a Windows RADIUS server, but the same principle is valid for a Palo Alto Networks M-100 device and any RADIUS server.

Note: The user needs to be logged in as superuser on the Panorama and as Full administrator on the windows server.

  1. Create a Radius Server Profile.Under Panorama > Server Profiles > RADIUS, create the profile that will be used for authentication for the Panorama administrators:
    Screen Shot 2014-09-17 at 8.27.33 PM.png
  2. Create the Authentication Profile.
    Under Panorama > Authentication Profiles, create the RADIUS authentication profile:
    Screen Shot 2014-09-17 at 8.29.35 PM.png
  3. Go to the RADIUS as an Authentication Profile that needs to be used.
    Under Panorama > Setup > Management > Authentication Setting, select the created RADIUS Authentication Profile.
    Screen Shot 2014-09-17 at 8.31.12 PM.png
  4. Under Panorama > Access Domain, create the Access Domain:
    Chose the Device Groups, Templates, and Physical Devices and/or vsys you would like to include in this Access Domain:
    Screen Shot 2014-09-17 at 1.14.20 PM.pngScreen Shot 2014-09-17 at 1.14.33 PM.pngScreen Shot 2014-09-17 at 1.14.40 PM.png
  5. Create the Admin Role.
    Under Panorama > Admin Roles, create an admin role that will have the desired admin rights.
    Note: Select "Device Group and Template" as a Role.
    Screen Shot 2014-09-17 at 8.44.10 PM.png
  6. Create the Policy on the Windows RADIUS Server.
    1. Under NPS > Policies > Network Policies, create a policy to grant access to the user.
    2. In the policy, add the conditions and constrains if needed.
    3. In the policy proporties, under the settings tab, under the Vendor Specific, create the needed attributes for the authorization:
      -use the Vendor atribute code: 25461
      -for the VSA number 3, use the 3K_admin
      -for the VSA number 4, use the 3K_access_domain
      Screen Shot 2014-09-17 at 8.51.55 PM.png
      Screen Shot 2014-09-17 at 8.52.14 PM.png
      Screen Shot 2014-09-17 at 8.52.46 PM.png
  7. Verify the setup.

In the authd.log, users logging in with the appropriate access domain and role are visible:

2014-09-17 20:15:55.524 +0200 debug: pan_authd_service_req(pan_authd.c:3316): Authd:Trying to remote authenticate user: emea

2014-09-17 20:15:55.524 +0200 debug: pan_authd_service_auth_req(pan_authd.c:1158): AUTH Request <'','','emea'>

2014-09-17 20:15:55.529 +0200 emea admin is being authed

2014-09-17 20:15:55.532 +0200 debug: pan_authd_handle_admin_auths(pan_authd.c:2245): Using auth prof Radius for admin emea

2014-09-17 20:15:55.532 +0200 debug: pan_authd_handle_admin_auths(pan_authd.c:2299): shared/Radius is auth prof is of type (auth profile)

2014-09-17 20:15:55.546 +0200 debug: pan_process_radius_auth(pan_authd.c:1088): Found vsa radius role 3K_admin for user emea

2014-09-17 20:15:55.546 +0200 debug: pan_process_radius_auth(pan_authd.c:1105): Found vsa radius access domain 3K_access_domain for user emea

2014-09-17 20:15:55.546 +0200 authentication succeeded for user <shared,Radius,emea>

2014-09-17 20:15:55.546 +0200 authentication succeeded for remote user <emea(orig:emea)>

...

2014-09-17 20:15:55.561 +0200 Request received to unlock shared/Radius/emea

2014-09-17 20:15:55.562 +0200 User 'emea' authenticated.   From: 10.193.100.140.

2014-09-17 20:15:55.562 +0200 debug: pan_authd_generate_system_log(pan_authd.c:866): CC Enabled=False

2014-09-17 20:15:55.566 +0200 debug: pan_authd_service_req(pan_authd.c:3322): Authd:get group request

2014-09-17 20:15:55.566 +0200 debug: pan_authd_get_userinfo(pan_authd.c:3432): Found access domain (3K_access_domain) and role (3K_admin) for user emea

2014-09-17 20:15:55.566 +0200 debug: pan_authd_handle_group_req(pan_authd.c:3210): Got user role/adomain 3K_admin/3K_access_domain for user emea

2014-09-17 20:15:55.567 +0200 Error:  pan_authd_handle_group_req(pan_authd.c:3223): Failed to get user pw profile settings

2014-09-17 20:29:29.438 +0200 debug: cfgagent_opcmd_callback(pan_cfgagent.c:418): authd: cfg agent received op command from server

Web UI verification

When the user now tries to logon to Panorama, access will be limited to the devices in the defined access domain.

This includes access to the templates, device groups, logs and changing context from the Panorama to the devices in the access domain.

For example, managed devices shows only the devices in the 3K_access_domain:

Screen Shot 2014-09-17 at 8.56.19 PM.png

Only the PA-3000 template is shown in the list:

Screen Shot 2014-09-17 at 8.56.42 PM.png

Only the devices in the 3K_access_domain are available to change context to:

Screen Shot 2014-09-17 at 8.57.01 PM.png

The full admin has rights to see all the Templates and Contexts:

Three templates are shown for the admin user.

Screen Shot 2014-09-17 at 8.58.32 PM.png

Two devices are available to be connected to via context change.

Screen Shot 2014-09-17 at 8.59.46 PM.png

owner: ialeksov

Tags (7)
Comments

Great article! I was able to gleen what I needed for Panorama 7.0.3 and ACS 5.3, but was wondering if there is an updated document?

Is it possible to grant Pano CLI access to Device restricted users?  Perhaps by granting multiple admin roles.