02-18-2022 04:05 AM
Hi,
Is there any option in Palo Alto, To create a single administrative account for a user group fetched from RADIUS.
02-18-2022 07:57 AM
Hi @SubaMuthuram ,
Let me check if I understand your question correctly - you want to group of users to authenticate and use the same username for administrating the firewall?
This doesn't look like good idea... It is best practise to have personal administrative accounts. This way you always know who, do what when. If you plan to have multiple users login to firewall with same account, why complicating and using RADIUS, just create local superadmin and put the password on peace of paper and gave it to the users (sorry, being sarcastic).
If I haven't understand your question and you actually want to allow which users are allowed to connect to firewall admin, based on group membership. Yes, that can be configured
I would you suggest to check this link - https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/firewall-administration/manage-firewall-a... you see which protocol support both external authentication and authorization (meaning you don't have to create account on the firewall)
From there you can check how to setup RADIUS for admin login https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/authentication/configure-radius-authentic...
02-18-2022 11:30 AM
This is what I was looking for,
From there you can check how to setup RADIUS for admin login https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/authentication/configure-radius-authentic...
02-18-2022 07:41 AM
This isn't an option available on the firewall. You can't tie a group to a single account
02-18-2022 07:48 AM
Hi BPry,
Can we use RADIUS auth profile. So from a single administrative account we can use a group to login to the firewall. So we no need to create individual admin account for each users.
02-18-2022 07:57 AM
Hi @SubaMuthuram ,
Let me check if I understand your question correctly - you want to group of users to authenticate and use the same username for administrating the firewall?
This doesn't look like good idea... It is best practise to have personal administrative accounts. This way you always know who, do what when. If you plan to have multiple users login to firewall with same account, why complicating and using RADIUS, just create local superadmin and put the password on peace of paper and gave it to the users (sorry, being sarcastic).
If I haven't understand your question and you actually want to allow which users are allowed to connect to firewall admin, based on group membership. Yes, that can be configured
I would you suggest to check this link - https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/firewall-administration/manage-firewall-a... you see which protocol support both external authentication and authorization (meaning you don't have to create account on the firewall)
From there you can check how to setup RADIUS for admin login https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/authentication/configure-radius-authentic...
02-18-2022 11:30 AM
This is what I was looking for,
From there you can check how to setup RADIUS for admin login https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/authentication/configure-radius-authentic...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
