Palo Alto Networks Knowledgebase: How to configure Tacacs authentication with Palo Alto Networks firewall

How to configure Tacacs authentication with Palo Alto Networks firewall

Created On 02/07/19 23:49 PM - Last Updated 02/07/19 23:49 PM
Palo Alto Networks has recently started supporting Tacacs with the release of PAN-OS 7.0. This document explains Tacacs authentication with the Palo Alto Networks firewall with read-only and read-write access using Cisco ACS server. 
  1. Create a Tacacs server profile. If you have secondary backup Tacacs server you can add it.
  2. Create an authentication profile.
  3. Call the Tacacs server profile.
  4. By default we have 3 admin roles.
    Use securityadmin role for READ_WRITE access
  5. Create another admin role with limited access. In this example policies, objects, networks, and devices are disabled.
  6. Administrators must be individually defined because currently only Radius is supported for non-local admin authentication, such as VSAs.
  7. Configure the Cisco ACS server.
    Create a list of usernames that are defined on the Palo Alto Networks locally.
  8. Create a shell profile with these details:
    Attribute: Cisco-av-pair
    Requirement: Mandatory
    Value: shell:priv-lvl=15
  9. Create an Authorization Policy and apply the shell profile created earlier.
    Here are the successful Passed authentication logs from ACS server.



To troubleshoot, use a test command to check the authentication.

> test authentication authentication-profile ACS username <name> password


System logs:





  • Print
  • Copy Link

Choose Language