- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-08-2017 05:32 AM
I would like to create a custom Admin Role in PAN-OS 7.1.9 that is like a system admin for the device with the ability to configure and manage authentication, logging, licensing, certificates, dynamic updates, software, and administrators; however, when I am creating a new Admin Role, the Administrators and Admin Roles items can only be set to Read Only or Disabled. The account I am logged in with has the Superuser dynamic role.
Is it possible to create a custom role that can manage Administrators and Admin Roles?
08-08-2017 07:48 AM
The superuser role is the only admin role that is allowed to administer other Administrators or Admin Roles themselves.
If you grant someone the ability to modify Administrators and modify the Admin Roles you in essence give them the ability to enable their account as a superuser, therefore the function is locked to users already granted the administrator role.
08-08-2017 07:48 AM
The superuser role is the only admin role that is allowed to administer other Administrators or Admin Roles themselves.
If you grant someone the ability to modify Administrators and modify the Admin Roles you in essence give them the ability to enable their account as a superuser, therefore the function is locked to users already granted the administrator role.
08-08-2017 02:12 PM
If you use RADIUS/TACACS+ for authentication then you could do the user/rights management on your RADIUS server or even better if the RADIUS is connected to an Active Directory you could create a usergroup and if a user from this user tries to log in the RADIUS will tell the firewall what Admin Role should be applied. This method could be used for all the mentionned points in your post except the local administrators for because of the reason already explained by @BPry. But also with this method you have to keep in mind: the admin of the RADIUS server will also be able to configure superuser rights, if he wants to ...
08-09-2017 05:43 AM
Interesting idea. I don't know much about TACACS+, but I don't like PAN's implementation of RADIUS since it only uses unencrypted PAP unless you are in FIPS mode and even then it only uses CHAP. I use Kerberos today.
08-09-2017 05:59 AM
Just a thought, but you probably have a bigger problem if an attacker is able to capture your RADIUS traffic than PAP really is (the firewall management and RADIUS server are in protected networks)
But I know what you're saying.
And I totally forgot to mention: SAML
Only works with the WebUI and not for SSH but is also a great methof for authentication and passwords aren't sent at all to the firewall, only to your SAML IdP
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!