You can use TACACS+ to authenticate and authorize users into the Palo Alto firewall which eliminates the need to configure and manage local user accounts. The goal here is to make sure that the firewall administrators can log in to Palo Alto using the TACACS+ protocol where the ISE authenticates the user and inform Palo Alto what they can access.
- Cisco ISE - 3.0 (The process is exactly the same for older versions)
- Palo Alto 10.1.3
- Users who are part of the Network-Admins group will have full access
- Users who are part of the IT-Ops group will have very limited read-only access
Please note that I'm using Local Identity Groups in this example. In a real world, more likely you will be using AD groups.
Palo Alto Configurations
The following three-step process enables TACACS+ authentication on the firewall. Step - 4 is optional as you can use the built-in admin roles rather than creating the custom roles.
Step 1 - Add TACACS+ server by Navigating to Device > Server Profiles > TACACS+. I'm using CHAP as the authentication protocol which is considered more secure than PAP (make sure CHAP is allowed on Cisco ISE)
Step 2 - Configure Authentication Profile
Authentication profile describes the authentication service (TACACS+ in our case) that validates the login credentials of firewall administrators who access the web interface and CLI.
Step 3 -Authentication Settings
Reference the Authentication profile created in Step - 2 by navigating to Device > Setup > Management > Authentication Settings
When external administrators log in, the firewall requests authentication and authorization information (administrative role) from the ISE.
Default is 'None' which disables authentication for external administrators.
Step - 4 Configure Admin Roles (optional)
I created two Admin Role Profiles as follows
- network-admin - Provides full access to both GUI and CLI. 'superuser' role is assigned to the CLI access.
- it-operations - Provides read-only access to the Monitor tab and no access to the CLI.
The role names should match on ISE TACACS+ profiles, more on this later.
Cisco ISE Configurations
As you can see below, I have two local users Bob and Max. Bob is part of the Network-Admins group and Max is part of the IT-Ops group.
Step - 1 Add Palo Alto into the ISE by navigating to Administration > Network Devices
Devices that you want to manage via TACACS+ need to be added to the ISE. Please note that the shared secret must match between the devices.
Step - 2 Create TACACS+ Profiles
Navigate to Work Centers > Device Administration > Policy Elements > TACACS Profiles and create two profiles with the custom attributes.
Please note that the value of the attibute should match the roles we configured on Palo Alto.
Once the authorization is completed, ISE will send a TACACS authorization response message to the firewall which includes the custom attribute names (VSAs) so, the firewall would know which admin role to apply to that specific user.
Step - 3 Policy Sets
This is the final step where the Profiles are attached to the Authorization Policy.
As you can see below, I only have the 'local' admin account and nothing else.
Bob logins to the Palo Alto
As you can see below, Bob gets full access to the Web GUI.
Max logins to the Palo Alto
As you can see below, Max gets very restricted access to the 'monitor' tab.
Thank you for reading. As always your comments and feedbacks are always welcome