Group Based Administrator Account

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Group Based Administrator Account

L4 Transporter

Hi, 

 

Is there any option in Palo Alto, To create a single administrative account for a user group fetched from RADIUS. 

Snow
2 accepted solutions

Accepted Solutions

Hi @SubaMuthuram ,

Let me check if I understand your question correctly - you want to group of users to authenticate and use the same username for administrating the firewall?

 

This doesn't look like good idea... It is best practise to have personal administrative accounts. This way you always know who, do what when. If you plan to have multiple users login to firewall with same account, why complicating and using RADIUS, just create local superadmin and put the password on peace of paper and gave it to the users (sorry, being sarcastic).

 

If I haven't understand your question and you actually want to allow which users are allowed to connect to firewall admin, based on group membership. Yes, that can be configured

I would you suggest to check this link - https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/firewall-administration/manage-firewall-a... you see which protocol support both external authentication and authorization (meaning you don't have to create account on the firewall)

 

From there you can  check how to setup RADIUS for admin login https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/authentication/configure-radius-authentic...

View solution in original post

HI @aleksandar.astardzhiev ,

 

This is what I was looking for, 

 

From there you can  check how to setup RADIUS for admin login https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/authentication/configure-radius-authentic...

Snow

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

@SubaMuthuram,

This isn't an option available on the firewall. You can't tie a group to a single account 

Hi BPry,

 

Can we use RADIUS auth profile. So from a single administrative account we can use a group to login to the firewall. So we no need to create individual admin account for each users. 

Snow

Hi @SubaMuthuram ,

Let me check if I understand your question correctly - you want to group of users to authenticate and use the same username for administrating the firewall?

 

This doesn't look like good idea... It is best practise to have personal administrative accounts. This way you always know who, do what when. If you plan to have multiple users login to firewall with same account, why complicating and using RADIUS, just create local superadmin and put the password on peace of paper and gave it to the users (sorry, being sarcastic).

 

If I haven't understand your question and you actually want to allow which users are allowed to connect to firewall admin, based on group membership. Yes, that can be configured

I would you suggest to check this link - https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/firewall-administration/manage-firewall-a... you see which protocol support both external authentication and authorization (meaning you don't have to create account on the firewall)

 

From there you can  check how to setup RADIUS for admin login https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/authentication/configure-radius-authentic...

HI @aleksandar.astardzhiev ,

 

This is what I was looking for, 

 

From there you can  check how to setup RADIUS for admin login https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/authentication/configure-radius-authentic...

Snow
  • 2 accepted solutions
  • 2791 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!