Panorama Access-Domain and Integration with Cisco ISE RADIUS Server

by Ion.Ermurachi on ‎03-07-2017 09:07 AM - edited on ‎03-15-2017 08:33 AM by (6,426 Views)


Hello everyone, this is Ion Ermurachi from the TAC (Technical Assistance Center) in Amsterdam.

In this video, I would like to demonstrate how you can configure the Panorama access domain to limit administrative access.
The user to access domain association will be obtained dynamically from a Cisco ISE RADIUS server. Before jumping into configureation, let's understand what access domain means on Panorama.



I am accessing the Panorama GUI with the admin account, which has the superuser role. Basically, I can add, modify, view or delete anything, no restrictions are applied.


For example, for a superuser role, the superuser account, I can go to any any device groups and I can add a security policy rule.
But in a multi-tenant environment, or a big company where resources to be managed tend to increase over time, it makes sense to provide users with limited administrative access. So, for example, user1 or company1 could have access to  only firewal1; and user 2 or company2 could access only anything related to firewal2. Let me show you a working example.


On the same Panorama, user dima has access to domain for firewall1 only and user sandu has access access only for firewall 2.
Let's log in with these accounts.


Loading up.


So user dima has access only to resources related to firewall1, context, ACC, Monitor, Device Groups, Templates and Panorama.
But user sandu has access only to firewall 2 resources, context, ACC, Monitor, Device Groups, Templates and Panorama.

Let's move forward with the configuration. Go to Panorama, load the basic configuration, commit, close.


The access domain feature,needs an admin role profile created first. The admin role profile specifies the access the user can have within an access domain.


I will create 2 admin role profiles:


  • First will be FW1-Admin-Role. The role will be device group and template and I will allow any acccess.
  • The next admin role profile will be FW2-Admin-Role and again "Device group and Template" will be chosen.

Next, we will create 2 access domains:


  • The first one will be FW1-Access-Domain,access only FW1-template, and change the context only for FW1 and write to shared objects.
  • The second domain will be for FW2-Access-Domain, template only for FW2 and change device context only for FW2. And I forgot to change the shared object to write. I assume here that both users are working in the same company and they can write to shared objects.

Next, we can specify the RADIUS server settings, I have configured here an ISE server, IP address.
Then reference this server within an authentication profile. You can see authentication profile name, type of authentication, the protocol used RADIUS and the server profile is ISE-server; and we are not interested in the allow list. We will configure ALL.


Next, go to Setup > Management > Authentication setttings for Panorama. Here you have to add in the authentication profile configured earlier. Then commit settings to Panorama.


That is all for configuration on Panorama.

Next, let's discuss RADIUS and what happens on the wire.

I took a packet capture before recording this video, when I was doing my tests. Panorama will redirect authentication to the RADIUS server, in this case, Cisco ISE through a RADIUS access-request RADIUS packet. Username will be provided, the authentication profile as NAS-Identifier and the IP address of the Panorama. As a response, there was an access-accept.


So here is the username that tried to authenticate ,and what is important to note is the vendor-specific attributes that are returned to Panorama. So within VSA #3 is returned firewall admin role and within VSA #4 is returned FW1-Access-Domain. They are these attributes, number 3 and number 4.


Let's proceed with ISE configuration.


We will go to device administration, network resources. I have added already Panorama as a network device. Give it a name, an IP address, and a shared secret.

I have created also the 2 users: dima-fw1-access-domain and sandu-fw2-access-domain. Next, go to Policy > Dictionaries, go under System and find RADIUS > RADIUS vendors. I have defined the PaloAltoNetworks as a vendor in dictionaries and the vendor-specific attributes supported at the moment of recording.


Next, go to Authorization > Policy Elements > Results > Authorization > Authorization Profile. Click on ADD and name it PANW-FW1-Access-Domain; Access Type > Access-Accept; network device profile PaloAltoNetworks. Now, go to Dictionaries and choose PaloAltoNetworks. We will use access-domain. The access domain we will copy from Panorama and paste it in the ISE GUI. And we will need the admin role profile name from Panorama GUI, copy and go back to ISE. These are the attributes that we have just added.


Next Authorization profile will be PANW-FW2-Access-Domain, Access-Accept, device profile PANW-device-profile.
Go to Dictionaries and choose access-domain. Go to Panorama and copy FW2-Access-Domain, then paste it in the ISE GUI. Go for the next attributes, admin-role-profile - copy the value from Panorama.


Go for the next attribute, which is the admin-role profile PaloAlto-Panorama-Admin-Role. Go back to Panorama and copy the FW2-Admin-Role and then return to ISE and paste it in the GUI.


Check the authentication rules. We will not match MAB or DO1X, the default rule will be matched. 'Allowed protocols' is the default network access, which includes PAP and CHAP RADIUS protocols. All user identity stores include the local store.

We can move forward with Authorization rules.

We will add 2 rules, one matching user dima-FW1-Access-Domain and one matching sand-FW2-Access-Domain.
The setttings can be taken from packet captures. I will add 3 settings for matching: username, NAS-Identifier, which is the authentication profile defined in Panorama, and the IP address of the Panorama.

For user dima, go to permissions. I will choose standard profile and PANW-FW1-Access-Domain.

Next, I will go with creation of a second rule, one matching user sandu-FW2-Access-Domain. And for authorization profile, I will choose standard profile. The one we defined earlier is PANW-FW2-Access-Domain. That is all for ISE configuration.


Let's do a quick test and validate our configuration:

  • dima-fw1-access-domain, login. And, sandu-fw2-access-domain, login.
  • user dima-fw1 on the left and user sandu-fw2 on the right.
  • User dima has access only to device-group FW1-device-group. Anywere you will go you will not see anything related to FW2, only FW1.
  • The same thing can be seen for user sandu-FW2-Access-Domain, Panorama managed device FW2, same for templates and device and same for device groups.

One more quick check is Panorama system logs. Go to Monitor > System. This is the authentication for user dima-fw1-access-domain, IP address of the ISE server. And here we got FW1-admin-role and FW1-access-domain. Same for user sandu.


For ISE, we can go to Operations > Live logs. And here is how the authentication log details look. It can tell you what is the authentiaction polic , what was the authorization rules, and identity store. This was the username, the authorization rule and the authorization profile returned (and of course, it was an access-accept was returned).


And we have reached the end of our video. Once again, this is Ion, thank you for watching, and see you in the next video.

by foystera
on ‎06-01-2017 02:30 AM

One thing  I notice with access-domain uses and the eoption to 'write to shared':


- a restricted user, with the option to 'write to shared' can modify shared 'Objects' and can create new shared 'Objects', as well as clone an 'Object' to 'Shared'.


- when I come to Policies however I could not create a shared Policy and while I could clone a shared policy to my device group, I could not clone a policy from my device group to 'Shared'.


Is there a reaon for this?   Is it related to the contect view in Device Groups?  (you can/have to switch this under the polcies tab, but not the objects tab)


So bottom line - 'write to shared' allows the creation(write) of anything in the Objects tab, but not the Polcies tab. 





Ask Questions Get Answers Join the Live Community