Palo Alto Networks Knowledgebase: How to configure Tacacs authentication with Palo Alto Networks firewall
How to configure Tacacs authentication with Palo Alto Networks firewall
Created On 02/07/19 23:49 PM - Last Updated 02/07/19 23:49 PM
Palo Alto Networks has recently started supporting Tacacs with the release of PAN-OS 7.0. This document explains Tacacs authentication with the Palo Alto Networks firewall with read-only and read-write access using Cisco ACS server.
Create a Tacacs server profile. If you have secondary backup Tacacs server you can add it.
Create an authentication profile.
Call the Tacacs server profile.
By default we have 3 admin roles. auditadmin cryptoadmin securityadmin Use securityadmin role for READ_WRITE access
Create another admin role with limited access. In this example policies, objects, networks, and devices are disabled.
Administrators must be individually defined because currently only Radius is supported for non-local admin authentication, such as VSAs.
Configure the Cisco ACS server. Create a list of usernames that are defined on the Palo Alto Networks locally.
Create a shell profile with these details: Attribute: Cisco-av-pair Requirement: Mandatory Value: shell:priv-lvl=15
Create an Authorization Policy and apply the shell profile created earlier. Here are the successful Passed authentication logs from ACS server.
To troubleshoot, use a test command to check the authentication.
> test authentication authentication-profile ACS username <name> password