Dynamic Administrator Authentication based on Active Directory Group rather than named users?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Dynamic Administrator Authentication based on Active Directory Group rather than named users?

L1 Bithead

Hello,

 

We have an environment with several adminstrators from a rotating NOC. With the current LDAP method to my understanding we have to manually add the administrator name to the PA administrators list before login will work (e.g. jdoe). We would like to be able to tie it to an AD group (e.g. "Firewall Admins") so anyone who is a member of that group will get access with no further configuration. This is possible in pretty much all other systems we work with (Cisco ASA, etc.)

 

My research has led that this isn't possible with LDAP but might be possible with RADIUS/NPS and attributes (which I'm comfortable with setting up)

 

Before I go to the trouble, do I still have to manually add named administrators to the firewall config with the RADIUS setup, or will they be autocreated? (e.g. if I log in as "jdoe" to the firewall and have never logged in before or added him as an administrator, as long as he is a member of "Firewall Admins" he will get access to the firewall with the access class defined in his RADIUS attribute)?

 

Thanks for any assistance.

1 accepted solution

Accepted Solutions

To close out this thread, it is in the documentation, RADIUS is the only option but it will work:
https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/authentication/configure-a-radius-se...

 

"You can configure Palo Alto Networks devices to use a RADIUS server for authenticating users, managing administrator accounts (if they are not local)"

 

The online help is more specific:

Select the authentication profile (or sequence) that the firewall uses to authenticate administrators who have external accounts (accounts that are not defined on the firewall). Only authentication profiles that have a type set to RADIUS and that reference a RADIUS server profile are available for this setting. When external administrators log in, the firewall requests authentication information (including the administrator role) from the RADIUS server."

I set it up using the vendor specific attributes as the guide discusses and it works as expected, I can now assign administrators based on AD group (at the Network Policy Server level) and users who have never logged into the PA before can now authenticate as administrators.

View solution in original post

6 REPLIES 6

Cyber Elite
Cyber Elite

I've never actually tried this but couldn't you use an authentication profile that has an allow list with just that one group? When I choose our LDAP auth profile I can provide settings for the profile on a whole, so I'm fairly certain that should work perfectly fine? 

Problem is you still have to add them on an individually named basis to the administrators list. Here's an example of trying to do it your way with a member of the group but not having the person explicity added as an administrator (auth.log dump):

2016-12-21 14:26:44.392 -0800 debug: pan_auth_request_process(pan_auth_state_engine.c:1639): Receive request: msg type PAN_AUTH_REQ_REMOTE_INIT_AUTH, conv id 1, body length 2156
2016-12-21 14:26:44.392 -0800 debug: pan_auth_request_process(pan_auth_state_engine.c:1662): Trying to authenticate: <profile: "", vsys: "", username "t-jgrote">
2016-12-21 14:26:44.392 -0800 debug: _get_auth_prof_detail(pan_auth_util.c:925): "t-jgrote" is an admin user
2016-12-21 14:26:44.409 -0800 Error: pan_auth_cache_get_admin_authprof(pan_auth_cache_adminusers.c:222): No default auth profile found for username t-jgrote
2016-12-21 14:26:44.409 -0800 Error: _get_admin_authentication_profile_by_name(pan_auth_util.c:501): No admin auth prof found with the name t-jgrote
2016-12-21 14:26:44.409 -0800 Error: _get_admin_authentication_profile(pan_auth_util.c:546): No auth prof/vsys is found for admin user "t-jgrote"
2016-12-21 14:26:44.409 -0800 Error: pan_get_authprofile_n_setting(pan_auth_util.c:1014): Failed to get authentication profile for admin t-jgrote
2016-12-21 14:26:44.409 -0800 Error: pan_set_admin_user_stat(pan_auth_admin_login_stat.c:246): Admin user "t-jgrote" home dir "/opt/pancfg/home/t-jgrote" has NOT created yet
2016-12-21 14:26:44.409 -0800 Error: pan_auth_send_auth_resp(pan_auth_server.c:389): pan_set_admin_user_stat("t-jgrote", False)
2016-12-21 14:26:44.409 -0800 failed authentication for user 't-jgrote'. vsys 'shared', From: <REDACTED>.
2016-12-21 14:26:44.409 -0800 debug: _log_auth_respone(pan_auth_server.c:243): Sent FAILED auth response for user 't-jgrote' (exp_in_days=-1 (-1 never; 0 within a day))
2016-12-21 14:26:44.409 -0800 Error: pan_auth_request_process(pan_auth_state_engine.c:1713): Failed to get authentication profile
2016-12-21 14:26:44.409 -0800 Error: _taskq_worker(pan_taskq.c:622): Error executing tasks process fn


If I add him to administrators with the auth profile specified then it works fine. So that just filters who the profile applies to, but it appears they still have to be manually set up in "Administrators".

 

I suppose if I have to I could automate the process with a periodic powershell script that gets the group members and then updates the administrators table via the API, but I'd rather this be "native" if possible.

 

Looking for guidance, I can't imagine this is a terribly unusual request especially in larger organizations.

 

 EDIT: Also I'm looking to do this in Panorama, but if its doable at the individual PANOS level that is worth looking at.

 

Well that makes sense I guess. I have to imagine that TAC could likely give you some info if you opened a ticket on it; like you said this can't be that abnormal in a larger companies. 

Yeah that's my next step, just wanted to chime in here to make sure I'm not missing something obvious. I'll open a ticket and report back.

L7 Applicator
Before I go to the trouble, do I still have to manually add named administrators to the 
firewall config with the RADIUS setup, or will they be autocreated? (e.g. if I log in as
"jdoe" to the firewall and have never logged in before or added him as an administrator,
as long as he is a member of "Firewall Admins" he will get access to the firewall with
the access class defined in his RADIUS attribute)?

 

I have setup RADIUS auth on PA before and this is indeed what happens after when users login.  The RADIUS server was not MS but it did use AD groups for the permission mapping.  If users were in any of 3 groups they could log in and were mapped based on RADIUS attribute to the appropriate permission level setup on the PA.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

To close out this thread, it is in the documentation, RADIUS is the only option but it will work:
https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/authentication/configure-a-radius-se...

 

"You can configure Palo Alto Networks devices to use a RADIUS server for authenticating users, managing administrator accounts (if they are not local)"

 

The online help is more specific:

Select the authentication profile (or sequence) that the firewall uses to authenticate administrators who have external accounts (accounts that are not defined on the firewall). Only authentication profiles that have a type set to RADIUS and that reference a RADIUS server profile are available for this setting. When external administrators log in, the firewall requests authentication information (including the administrator role) from the RADIUS server."

I set it up using the vendor specific attributes as the guide discusses and it works as expected, I can now assign administrators based on AD group (at the Network Policy Server level) and users who have never logged into the PA before can now authenticate as administrators.

  • 1 accepted solution
  • 7469 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!