PAN-OS NGFW - LDAP Authentication via Group Membership - Admin UI

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PAN-OS NGFW - LDAP Authentication via Group Membership - Admin UI

L1 Bithead

Hello,

 

I'm trying to set up NGFW in a lab environment where all users have an account defined in a centralized authentication store. We're using FreeIPA, which provides authentication services via LDAP and Kerberos.

 

I've gotten authentication working with LDAP, but it requires specifying a unique Administrator account and then pointing it to the Authentication Profile associated with the LDAP Authentication Server.

 

IMHO, this completely defeats the purpose of having a centralized directory.

 

Is there a way to set up NGFW to authenticate users based on group membership so I don't have to create unique admin user objects?

 

It looks like this is possible via RADIUS but not via LDAP. It looks like it's possible to set up a FreeRADIUS server in conjunction with FreeIPA. If setting up LDAP Group Membership checking isn't possible with NGFW, I may go that route.

 

Thanks in advance!

2 REPLIES 2

Cyber Elite
Cyber Elite

Hi @JeffH-SecBBQ ,

 

There is a way to set up the NGFW to authenticate administrators based on group membership so you don't have to create unique admin user objects.  It is done under Device > Setup > Management > Authentication Settings.  Notice that it supports only RADIUS, TACACS+, or SAML.

 

TomYoung_0-1693257014402.png

 

The reason, I believe, is because those protocols can also specify the role to be used in addition to authenticating.  With local admins, you specify the role.  With centralized admins, the authentication server needs to specify the role.  You could have one group for superusers, one group for read-only superusers, etc.

 

With RADIUS, the roles are configured with VSAs.  https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIxCAK

 

Here is the dictionary.  https://docs.paloaltonetworks.com/resources/radius-dictionary

 

Thanks,

 

Tom

 

Help the community: Like helpful comments and mark solutions.

L1 Bithead

@TomYoung, that's a phenomenal explanation! Thank you so much! I will continue setting up FreeRADIUS to proxy authentication against FreeIPA via LDAP, then set up NGFW to authenticate against FreeRADIUS.

 

Much appreciated!!!

  • 1096 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!