Configuring Panorama Admin Role and Cisco ISE

by Ion.Ermurachi on ‎03-10-2017 07:23 AM - edited on ‎03-27-2017 01:30 PM by (3,972 Views)

TRANSCRIPT

 

Hello everyone, this is Ion Ermurachi from the Technical Assistance Center (TAC) in Amsterdam.


In this video, I will demontrate how to configure Panorama with user authentication against Cisco ISE that will return as part of authorization of the "Panorama Admin Role" RADIUS attribute.

 

 


What we want to achieve is for the user to log in and have access only to the Dashboard and ACC tabs, nothing else.
To implement that, we can create under Panorama Admin Roles an Admin Role profile. Here I gave the user Dashboard and ACC access under Web UI and Context Switch UI.

 

The firewall will redirect authentication to Cisco ISE within a RADIUS access request where the username will be added and the ISE will respond with an access-accept or an access-reject. Within an Access-Accept, we would like the Cisco ISE to return within an attribute the string Dashboard-ACC string. This Dashboard-ACC string matches exactly the name of the admin role profile.

 

After configuring the Admin-Role profile, the RADIUS connection settings can be specified. Here I specified the Cisco ISE as a server, 10.193.113.73. Next, we will configure the authentication profile "PANW_radius_auth_profile."


Next, we will go to Panorama > Setup > Authentication Settings and set the authentication profile configured earlier, press OK then commit. This is the configuration that needs to be done from the Panorama side.

 

For Cisco ISE, I will try to keep the configuration simple, I will add to network resources the Panorama device, Panorama-72 as the name, the IP address, device profile configured earlier (PANW-device-profile), shared secret "paloalto" and click on submit.

 

Next, I will add a user in Administration > Identity Management > Identities. Username will be ion.ermurachi, password Amsterdam123 and submit.

 

Next, we will check the Authentication Policies. This is a default Cisco ISE installation that comes with MAB and DOT1X and a default authenbtication rule. We will be matching this rule (default), we don't do MAB and neither DOT1X, so we will match the last default rule.

 

If no match, Allow Protocols DefaultNetworksAccess that includes PAP or CHAP and it will check all identity stores for authentication. So we will leave it as it is.

 

Next, we will go to Policy > Authorization > Results. Navigate to Authorization > Authorization Profile, click on Add. For the name, we will chose AuthZ-PANW-Pano-Admin-Role.

 

Here we will add the Panorama Admin Role VSA, it will be this one. Access type Access-Accept, PANW-device-profile, then we will select from Dictionaries PaloAlto-Panorama-Admin-Role, attribute number 3, once again attribute number 3. And here we will need to specify the exact name of the Admin Role profile specified in here.

 

Note: Make sure you don't leave any spaces and we will paste it on ISE. Click submit.

 

Next, we will go to Authorization Rules. Create a rule on the top. I will name it AuthZ Pano Admin Role ion.ermurachi, and for conditions, I will create a new condition. I will match by the username that is provided in the RADIUS access-request. To do that, select Attributes and select RADIUS, then navigate to the bottom and choose username.

 

So this username will be this setting from here, access-request username. And I will provide the string, which is ion.ermurachi. This is done. And for permisssion, for authorization, for permissions sent to the user, we will add the authorization profile created earlier, then click Save.

 

That will be all for Cisco ISE configuration.


OK, now let's validate that our configuration is correct. Let's do a quick test. I will open a private web-page and I will try to log in to Panorama with the new user, ion.ermurachi password Amsterdam123. Connecting. As you can see, we have access only to Dashboard and ACC tabs, nothing else.

 

We can check the Panorama logs to see that the user authenticated successfully, so if you go to Monitor > System you will see the event auth-success and the Dashboard-ACC VSA returned from Cisco ISE.


On the ISE side, you can go to Operation > Live Logs, and as you can see, here is the Successful Authentication.


OK, we reached the end of the tutorial, thank you for watching and see you in the next video.

 

Ask Questions Get Answers Join the Live Community