I'm trying to set up NGFW in a lab environment where all users have an account defined in a centralized authentication store. We're using FreeIPA, which provides authentication services via LDAP and Kerberos.
I've gotten authentication working with LDAP, but it requires specifying a unique Administrator account and then pointing it to the Authentication Profile associated with the LDAP Authentication Server.
IMHO, this completely defeats the purpose of having a centralized directory.
Is there a way to set up NGFW to authenticate users based on group membership so I don't have to create unique admin user objects?
It looks like this is possible via RADIUS but not via LDAP. It looks like it's possible to set up a FreeRADIUS server in conjunction with FreeIPA. If setting up LDAP Group Membership checking isn't possible with NGFW, I may go that route.
Thanks in advance!
Hi @JeffH-SecBBQ ,
There is a way to set up the NGFW to authenticate administrators based on group membership so you don't have to create unique admin user objects. It is done under Device > Setup > Management > Authentication Settings. Notice that it supports only RADIUS, TACACS+, or SAML.
The reason, I believe, is because those protocols can also specify the role to be used in addition to authenticating. With local admins, you specify the role. With centralized admins, the authentication server needs to specify the role. You could have one group for superusers, one group for read-only superusers, etc.
With RADIUS, the roles are configured with VSAs. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIxCAK
Here is the dictionary. https://docs.paloaltonetworks.com/resources/radius-dictionary
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!