Configure Palo Alto TACACS+ authentication against Cisco ISE

Overview

You can use TACACS+ to authenticate and authorize users into the Palo Alto firewall which eliminates the need to configure and manage local user accounts. The goal here is to make sure that the firewall administrators can log in to Palo Alto using the TACACS+ protocol where the ISE authenticates the user and inform Palo Alto what they can access.

Software version

  1. Cisco ISE - 3.0 (The process is exactly the same for older versions)
  2. Palo Alto 10.1.3

Access requirements

  • Users who are part of the Network-Admins group will have full access
  • Users who are part of the IT-Ops group will have very limited read-only access
Please note that I'm using Local Identity Groups in this example. In a real world, more likely you will be using AD groups.

Palo Alto Configurations

The following three-step process enables TACACS+ authentication on the firewall. Step - 4 is optional as you can use the built-in admin roles rather than creating the custom roles.

Step 1 - Add TACACS+ server by Navigating to Device > Server Profiles > TACACS+. I'm using CHAP as the authentication protocol which is considered more secure than PAP (make sure CHAP is allowed on Cisco ISE)

TACACS+ Server

Step 2 - Configure Authentication Profile

Authentication profile describes the authentication service (TACACS+ in our case) that validates the login credentials of firewall administrators who access the web interface and CLI.


Step 3 -Authentication Settings

Reference the Authentication profile created in Step - 2 by navigating to Device > Setup > Management > Authentication Settings

When external administrators log in, the firewall requests authentication and authorization information (administrative role) from the ISE.

Default is 'None' which disables authentication for external administrators.

Step - 4 Configure Admin Roles (optional)

I created two Admin Role Profiles as follows

  • network-admin - Provides full access to both GUI and CLI. 'superuser' role is assigned to the CLI access.
  • it-operations - Provides read-only access to the Monitor tab and no access to the CLI.

The role names should match on ISE TACACS+ profiles, more on this later.

Full Access
Read-Only

Cisco ISE Configurations

As you can see below, I have two local users Bob and Max. Bob is part of the Network-Admins group and Max is part of the IT-Ops group.

Identities

Step - 1 Add Palo Alto into the  ISE by navigating to Administration > Network Devices

Devices that you want to manage via TACACS+ need to be added to the ISE. Please note that the shared secret must match between the devices.

Network Devices

Step - 2 Create TACACS+ Profiles

Navigate to Work Centers > Device Administration > Policy Elements > TACACS Profiles and create two profiles with the custom attributes.

Please note that the value of the attibute should match the roles we configured on Palo Alto.

Once the authorization is completed, ISE will send a TACACS authorization response message to the firewall which includes the custom attribute names (VSAs) so, the firewall would know which admin role to apply to that specific user.


Step - 3 Policy Sets

This is the final step where the Profiles are attached to the Authorization Policy.


Verification

As you can see below, I only have the 'local' admin account and nothing else.

Administrators

Bob logins to the Palo Alto

As you can see below, Bob gets full access to the Web GUI.

Bob's access
Bob Login

Max logins to the Palo Alto

As you can see below, Max gets very restricted access to the 'monitor' tab.

Max's access
Max login

References

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMYmCAO&lang=en_US%E2%80%A9

TACACS+

Thank you for reading. As always your comments and feedbacks are always welcome