Palo Alto Networks Knowledgebase: Configuring Read-only Admin Access with RADIUS Running on Win2008 and Cisco ACS 5.2

Configuring Read-only Admin Access with RADIUS Running on Win2008 and Cisco ACS 5.2

5904
Created On 02/08/19 00:07 AM - Last Updated 02/08/19 00:08 AM
Content Release Deployment
Resolution

Overview

The Palo Alto Networks device has a built-in device reader role that has only read rights to the firewall. The superreader role gives administrators read-only access to the current device. This document describe how to configure the superreader role for RADIUS servers running on Microsoft Windows 2008 and Cisco ACS 5.2. The principle is the same for any predefined or custom role on the Palo Alto Networks device.

Roles are configured on the Palo Alto Networks device using Radius Vendor Specific Attributes (VSA).

Note: The RADIUS servers need to be up and running prior to following the steps in this document.

Steps

Windows Server 2008 Radius

  1. On the Palo Alto Networks device, go to Device > Server Profile > RADIUS and configure the RADIUS Server Profile using the IP address, port, and the shared secret for the RADIUS server.
    Screen Shot 2014-02-19 at 11.41.05 PM.png
  2. Go to Device > Authentication Profile and create an Authentication Profile using RADIUS Server Profile.
    Screen Shot 2014-07-04 at 9.21.37 AM.png
  3. Go to Device > Setup > Authentication Settings and choose the RADIUS Authentication Profile that was created in Step 1 (shown above):
    Screen Shot 2014-02-19 at 11.44.06 PM.png
  4. On the Windows Server, add the firewall as a client.
    Under NPS > RADIUS Clients and Servers > RADIUS Clients, create the client profile using the IP address of the firewall and a shared secret that will be used for the firewall:
    Screen Shot 2014-02-19 at 11.54.44 PM.png
  5. On the Windows Server, configure the Palo Alto Networks RADIUS VSA settings.
    Under NPS > Polices > Network Policies, create a specific policy that will be used by the firewall:
    Screen Shot 2014-02-19 at 11.59.01 PM.png
  6. Add the Vendor-Specific Attributes for the Palo Alto Networks firewall. Use 25461 as a Vendor code.
    Screen Shot 2014-02-20 at 12.00.09 AM.png
  7. In Configure Attribute, configure the “superreader” value that will give only read-only access to the users that are assigned to the group of users that will have that role:
    Screen Shot 2014-02-20 at 12.00.59 AM.png
  8. The setup should look similar to the following:
    Screen Shot 2014-02-20 at 12.01.09 AM.png
  9. On the Windows Server, configure the group of domain users to which will have the read-only admin role.  Under NPS > Polices > Network Policies, select the appropriate group in the Conditions tab of the policy:Screen Shot 2014-02-20 at 12.03.53 AM.png
  10. Test the login with the user that is part of the group
  11. After login, the user should have the read-only access to the firewall. No changes are allowed for this user (every window should be read-only and every action should be greyed out), as shown below:Screen Shot 2014-02-20 at 12.09.53 AM.png
  12. The connection can be verified in the audit logs on the firewall. The role that is given to the logged in user should be "superreader"
    Screen Shot 2014-02-20 at 12.12.15 AM.png

  13. If any problems with logging are detected, search for errors in the “authd.log” on the firewall by using the following command:
    > tail follow yes mp-log authd.log

Cisco ACS 5.2

  1. Follow Steps 1, 2 and 3 of the Windows 2008 configuration above, using the appropriate settings for the ACS server (IP address, port and shared secret).
  2. On the ACS, under RADIUS VSA create the PaloAlto VSA using the Vendor ID: 25461.
    Screen Shot 2014-02-20 at 12.26.19 AM.png
  3. After that, select the Palo Alto VSA and create the RADIUS Dictionaries using the Attributes and the IDs. Keep in mind that all the dictionaries have been created, but only the PaloAlto-Admin-Role (with the ID=1) is used to assign the read-only value to the admin account.
    Screen Shot 2014-02-20 at 12.24.18 AM.png

  4. Under Users on the Users and Identity Stores section of the GUI, create the user that will be used to login to the firewall.
    Screen Shot 2014-02-20 at 12.31.48 AM.png
  5. Under Policy Elements, create an Authorization Profile for the “superreader” role which will use the PaloAlto-Admin-Role Dictionary.
    Screen Shot 2014-02-20 at 12.34.01 AM.png
  6. In the Authorization part, under Access Policies, create a rule that will allow the access to the firewall’s IP address using the Permit read access PA Authorization Profile that was have created before.
    Screen Shot 2014-02-20 at 12.36.33 AM.png
  7. Test the login with the user that is part of the group.
  8. After login, the user should have the read-only access to the firewall. No changes are allowed for this user.
    Screen Shot 2014-02-20 at 12.40.28 AM.png
  9. The connection can be verified in the audit logs on the firewall.
  10. If any problems with logging are detected, search for errors in the “authd.log” on the firewall using the following command:
    > tail follow yes mp-log authd.log

See Also

Radius Vendor Specific Attributes (VSA) - For configuring admin roles with RADIUS running on Win 2003 or Cisco ACS 4.0.

owner: ialeksov



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClKLCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language