Is it possible to authenticate users using their AD credentials when they log into Panorama? Short of giving administrators their own login into Panorama, I'm unable to track who has changed what.
I've read through the LDAP guide, but it focuses on the actual security devices and not Panorama.
Has anyone done this or know if it is possible?
Yes, but you'll need a RADIUS server. You'll add the Panorama to the RADIUS clients using the RADIUS standard client-vendor attributes. Then create a strong password for the shared secret. Write that down, and we'll come back to that next.
Then you'll need to add the RADIUS policies. For a Windows RADIUS server, we use the "Client Friendly Name Matches" and use the name of the RADIUS client you just added, and "Windows-Groups matches" for the group of users you want to authenticate.
Then click on the "Edit Profile" button. Under the authentication tab, check everything but "Encrypted authentication (CHAP)" and "Allows clients to connect without negotiation an authenticate method."
Then stop and start the RADIUS server.
Then create a RADIUS profile in Panorama. Added the IP address of the RADIUS server and enter to shared secret you assigned for that server. Then you should be able to add the administrative user's short name, and select the checkbox for RADIUS authentication. Commit the change and try it out.
I think that's everything we had to do to make it work.
You should be able to use LDAP directly for checking the account credentials but you would still need to setup the admin accounts within Panorama as it will only use the LDAP connection for checking the password. If you want to avoid setting up the accounts explicitly, you can use RADIUS VSAs to have Panorama (or the device) leverage directory information to determine which accounts should have access to the system (and what level of access).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!