RADIUS Vendor-Specific Attributes (VSA)

Overview

This document explains the RADIUS Vendor Specific Attributes (VSA) used with the Palo Alto Networks Next Generation Firewalls and Panorama server. The configuration on the Palo Alto Networks device and Panorama server are identical.

Note: Palo Alto Networks uses the vendor code: 25461

There are 5 attributes:

• PaloAlto-Admin-Role: Attribute #1 - This can either be a default admin role name or a custom admin role name.
• PaloAlto-Admin-Access-Domain: Attribute #2 - This is used when a Palo Alto Networks device has multiple vsys.  This is the name of an Access Domain as created under Device > Access Domains.
• PaloAlto-Panorama-Admin-Role: Attribute #3 - This can either be a default admin role name or a custom admin role name on Panorama.
• PaloAlto-Panorama-Admin-Access-Domain: Attribute #4 - This is the name of an Access Domain configured on Panorama as created under Panorama > Access Domains.
• PaloAlto-User-Group: Attribute #5 - This is the name of a group to be used in an Authentication Profile.

1. Create a RADIUS server, if you do not already have one. Retrieving the user group is a VSA-specific feature and is not necessary with normal RADIUS configurations.

   
   
   

2. Create an Authentication profile.  If you want to use the group name to filter out RADIUS authentication requests for users who should not have login access, enter the group name in the Additional Users on the Allow List window.  The group name used in this example is testgroup.
   Note: Configuring the Allow List is optional.
   
   
   
3. Panorama settings:
   1. Configure an Admin Role for the Panorama admin access.  This allows Panorama to know what permissions are associated with the user access.
   2. Go to Device > Admin Role to create an Admin Role. This role grants the correct privileges to the user logging in. The Admin Role used in this example is a testrole.
   3. Make sure to check the option for Device Group and Templates to only allow access to the specified devices in the access domain.
      
      
      
4. Configure the access domain, which tells Panorama what rights the user has.
   
   
   
5. Apply the authentication profile to the Palo Alto Networks device or Panorama.  Go to Device > Setup > Management > Authentication Profile on the device and at Panorama > Setup > Management > Authentication Profile on Panorama.

Windows 2003: Configuring Palo Alto Networks Vendor Specific Attributes (VSA) to Windows 2003 server.

Assumption: The RADIUS Client and Remote Access Policy are already configured.

1. Edit the existing Remote Access Profile.

   
   
   

2. Click Edit Profile button on the Remote Access Profile.

   
   
   

3. Select Advanced, then click the Add.

   
   
   

4. Scroll to Vendor-Specific and click Add.

   
   
   

5. In the next window, click Add to create the necessary Attributes.

   
   
   

6. In the Vendor-Specific Attribute Information window, select Enter Vendor Code and enter 25461 in the field to the right (below). Next, select "Yes, It conforms," then click "Configure Attribute…".

   
   
   

7. In the next window, enter the Vendor-assigned attribute number, from the first page of this document. The Attribute format should be string.  The Attribute value will depend on your configuration.

   Below is an example of a role (testrole) on a PAN device.

   

    

   NOTE : RADIUS users can only have superuser privileges by returning "superuser" as the role string in the VSA.
   >Changing VSA to "superuser" for PaloAlto-Admin-Role

    

   Below is an example of a vsys (vsys1) on a Palo Alto Networks device.

   

    

   Below is an example of a role (testrole) on a Panorama server.

   

    

   Below is an example of an access domain (Domain1) on a Panorama server.

   

    

   Below is an example of a group (testgroup) that can be used on both a Palo Alto Networks device and Panorama server.

   

    

   The example below shows the configuration of a Custom Admin Role on a Palo Alto Networks device (testrole) and group(testgroup) to be used in the Authentication Profile.  These were configured in the first section of this document.

   

    

Windows 2008 Network Policy Server: Configuring Palo Alto Networks Vendor Specific Attributes (VSA) to Windows 2008 server.

Assumption: The RADIUS Client and Network Policy are already configured.

1. Edit the existing Network Policy by right clicking on it, then clicking properties.

   
   
   

2. Click the Settings; tab, then Vendor Specific, then click the Add button.

   
   
   

3. Scroll down in the Attributes box and choose Vendor-Specific.

   
   
   

4. Click the Add button.

   
   
   

5. In the Vendor-Specific Attribute Information window, select Enter Vendor Code, then enter 25461 in the field to the right (as seen below). Next, select "Yes, It conforms," then click "Configure Attribute…".

   
   
   

6. In the next window you will enter the Vendor-assigned attribute number, from the first page of this document.  The Attribute format should be string.  The Attribute value will depend on your configuration.  Listed below are examples of all of the attributes that can be configured for a Palo Alto Networks device and Panorama server.

   Below is an example of a role (testrole) on a Palo Alto Networks device.

   

    

   Below is an example of a vsys (vsys1) on a Palo Alto Networks device.

   

    

   Below is an example of a role (testrole) on a Panorama server.

   

    

   Below is an example of an access domain (Domain1) on a Panorama server.

   

    

   Below is an example of a group (testgroup) that can be used on both a Palo Alto Networks device and Panorama server.

   

    

   In the following example we have configured a Custom Admin Role on a Palo Alto Networks device (testrole) and group (testgroup) to be used in the Authentication Profile.  These were configured in the first section of this document.

   

    

Cisco ACS

Next, configuring VSA on Cisco ACS 4.0 Server.

Assumption: RADIUS is configured and working with the Panorama server.

1. Create a file named palalto.ini in the Utils folder of the Cisco ACS server.

   

    

   Below is an example of what this ini file should include.

   
   
   

2. Save the ini file, include it in the ACS server by running the CSUtil.exe command which is in the bin folder of the ACS server.

   Example: CSUtil.exe –addUDV 0 C:\Program Files\CiscoSecure ACS v4.0\Utils\paloalto.ini

   
   
   

3. Within the ACS server, select the Interface Configuration page, then click on "RADIUS (PaloAlto)".

   
   
   

4. Choose the attributes you want to use.  We’ve selected all of them all in the example below. Click submit.

   
   
   

5. Edit the attributes on the ACS Group.  We’ve created a group called testgroup.

   
   
   

6. Once in the group, you can jump to the "RADIUS (PaloAlto)" section, as seen below.

   
   
   

7. Configure the options you wish to use. In the example below I have configured a Custom Admin Role on a Panorama server (testrole) and group(testgroup) to be used in the Authentication Profile.  These were configured in the first section of this document.

   

See Also

Configuring Cisco ACS 5.2 for use with Palo Alto Vendor Specific Attributes

owner: rnit