Panorama admin authentication and Admin Roles

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Panorama admin authentication and Admin Roles

L1 Bithead

 Hello,

 

Is there a best practices guide regarding Panorama Admin roles that includes the pros and cons of using Radius vs Active Directory or even TACACS+ to authenticate Firewall/Network admins.   What are other large Enterprise environments doing?

 

Goals:

1. Minimize account administration in multiple locations

2. As we already have strong Active Directorty IDM in place, would like to leverage membership in AD groups directly from the Panorama Admin Role (i.e. not leverage Radius).  Not a huge fan of Cisco ACS and not looking to purchase a different solution.

3.  Leverage the same schema across all firewalls

4.  Not interfere with USER-ID

 

Currently we are running Panorama 7.06 and in the process of upgrading 100+ FW's to 7.06 , currently on 5.0.14-h3.  

1 REPLY 1

L6 Presenter

Hi...Since you want to leverage group membership for admin access, I recommend using RADIUS authentication with Microsoft NPS.  There are several discussions on this and here's one:

 

https://live.paloaltonetworks.com/t5/General-Topics/Palo-Alto-RADIUS-authentication-against-Microsof...

 

The PA supports Radius VSA to tie to AD groups:

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/RADIUS-Vendor-Specific-Attributes-VSA/ta...

 

You can use Panorama with template to push the admin access control & admin roles to all PAs on the networks.

 

Thanks,

  • 1722 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!