05-10-2016 06:50 AM
Hello,
Is there a best practices guide regarding Panorama Admin roles that includes the pros and cons of using Radius vs Active Directory or even TACACS+ to authenticate Firewall/Network admins. What are other large Enterprise environments doing?
Goals:
1. Minimize account administration in multiple locations
2. As we already have strong Active Directorty IDM in place, would like to leverage membership in AD groups directly from the Panorama Admin Role (i.e. not leverage Radius). Not a huge fan of Cisco ACS and not looking to purchase a different solution.
3. Leverage the same schema across all firewalls
4. Not interfere with USER-ID
Currently we are running Panorama 7.06 and in the process of upgrading 100+ FW's to 7.06 , currently on 5.0.14-h3.
05-10-2016 06:59 AM
Hi...Since you want to leverage group membership for admin access, I recommend using RADIUS authentication with Microsoft NPS. There are several discussions on this and here's one:
The PA supports Radius VSA to tie to AD groups:
You can use Panorama with template to push the admin access control & admin roles to all PAs on the networks.
Thanks,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
