Authenticating Panorama users with AD

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Authenticating Panorama users with AD

L1 Bithead

Is it possible to authenticate users using their AD credentials when they log into Panorama? Short of giving administrators their own login into Panorama, I'm unable to track who has changed what.

I've read through the LDAP guide, but it focuses on the actual security devices and not Panorama.

Has anyone done this or know if it is possible?

Thanks

6 REPLIES 6

L4 Transporter

Yes, but you'll need a RADIUS server. You'll add the Panorama to the RADIUS clients using the RADIUS standard client-vendor attributes. Then create a strong password for the shared secret. Write that down, and we'll come back to that next.

Then you'll need to add the RADIUS policies. For a Windows RADIUS server, we use the "Client Friendly Name Matches" and use the name of the RADIUS client you just added, and "Windows-Groups matches" for the group of users you want to authenticate.

Then click on the "Edit Profile" button. Under the authentication tab, check everything but "Encrypted authentication (CHAP)" and "Allows clients to connect without negotiation an authenticate method."

Then stop and start the RADIUS server.

Then create a RADIUS profile in Panorama. Added the IP address of the RADIUS server and enter to shared secret you assigned for that server. Then you should be able to add the administrative user's short name, and select the checkbox for RADIUS authentication. Commit the change and try it out.

I think that's everything we had to do to make it work.

Thanks, I'll see if we can get the Windows IAS installed.

Pity it can't just use LDAP!

If it can, I haven't bothered. We set it up before PAN OS 3.1.

You should be able to use LDAP directly for checking the account credentials but you would still need to setup the admin accounts within Panorama as it will only use the LDAP connection for checking the password. If you want to avoid setting up the accounts explicitly, you can use RADIUS VSAs to have Panorama (or the device) leverage directory information to determine which accounts should have access to the system (and what level of access).

Mike

Mike, I cant get this to work. I set up AD Admin auth just like it is setup on my firewalls. I get invalid username/password.

nevermind I got it.. DN of the id to query AD had a syntax error.

  • 3222 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!