Palo Alto Networks Knowledgebase: How to use Pre-defined Admin Roles using VSA and Cisco Radius ACS 4.0

How to use Pre-defined Admin Roles using VSA and Cisco Radius ACS 4.0

3414
Created On 02/07/19 23:53 PM - Last Updated 02/07/19 23:53 PM
Resolution

Overview:

The paloaltonetworks firewall and Panorama have pre-defined administrative roles that can be configured for Radius Vendor Specific Attributes (VSA).  This article explains how to configure these roles for Cisco ACS 4.0

The firewall itself has the following four pre-defined roles, all of which are case sensitive:

  superuser—Full access to the current device.

  superreader (Read Only)—Read-only access to the current device.

  deviceadmin—Full access to a selected device. No access to define new accounts or virtual systems.

  devicereader (Read Only)—Read-only access to a selected device.

The Panorama roles are as follows and are also case sensitive:

  superuser—Full access to the current device.

  superreader (Read Only)—Read-only access to the current device.

  panorama-admin—Full access to a selected device, except for defining new accounts or virtual systems.

Steps:

To allow Cisco ACS users to use the predefined rule configure the following:

From Group Setup, choose the group to configure and then Edit Settings.

6.png

Click the drop down menu and choose the option RADIUS (PaloAlto).

The RADIUS (PaloAlto) Attributes should be displayed.  Check the check box for PaloAlto-Admin-Role.  Enter the appropriate name of the pre-defined admin role for the users in that group.

7.png

Submit and Restart the service.

Log in to the firewall.  Once authenticated to Radius verify that the superuser or pre-defined admin role applied is applied to the access.

.

owner:  nayubi



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRKCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language