Admin authentication using RADIUS without local accounts

Reply
L2 Linker

Admin authentication using RADIUS without local accounts

Hi All,

I ran across a strange issue when provisioning a new Administrator on our team. The background is that we use Cisco ACS 5.1 as our RADIUS authentication for our PA firewalls. All of the correct VSAs are input and appropriate Authorization Policies created for Firewalls and Panorama. We do not use local accounts, and instead rely on ACS to do authorization, which keeps things centralized.

However, I noticed that after I had provisioned this new admin account on ACS the user was not able to successfully authenticate via SSH to the PA firewall. After quite a bit of testing and troubleshooting I ultimately determined that if you do not first authenticate to the firewall via Web UI, you cannot authenticate via SSH. Very odd I thought.

If anyone else can attempt to replicate this issue, please let me know. It's a simple enough work around so nothing critical but I found it curious.

Affected verisons I could test:

3.1.5

4.0.1

4.0.7

Community Team Member

Thanks for the question..

It would appear that this has been reported before..

We have a bug where "out-of-device" admin accounts require a webUI logon first before the SSH logon works. This is because when you configure admin user on PAN, it also creates a home directory for that user. If you have defined an admin on Radius only, then PAN does not have that user's corresponding home directory. In that case first-time login via SSH fails because there is no home directory. When you first login via webUI it will create that home directory for subsequent SSH logons.

The workaround for this is to configure admins on PAN itself via the Device->Administrators tab for admins that would only have CLI access. At present, this bug has not resolved.

This might be fixed soon in a future release, but we do not know as of yet when that will be.

If you are having issues where locally configured administrators are having to logon via the webUI first, then please call into PAN support for a live troubleshooting session.

Kind Regards.

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items!
Community Team Member

Update:

This issue has come up in 5.0.1, and is resolved in 5.0.5 and 5.1.1.

Ref case 120090

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items!
L2 Linker

Tested in 5.0.6 and it is still an issue.

Community Team Member

Thanks for the update.. Please allow me to clarify..

on your FW device, you have an admin role as:

test2-admin-role {

  role {

  device {

  cli superreader;

  webui {

??

Or you need Panorama to push down an admin role also.

Please confirm.

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items!
L2 Linker

No such admin role. Admin role is sent via VSA in RADIUS accept message.

L5 Sessionator

It is a bug 32363 which has been previously reported. However the bug will be fixed in next Major release. So it is not in 5.0.x.

Hope this helps.

Thanks

L1 Bithead

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!