How to configure TACACS authentication against Cisco ISE
75088
Created On 08/07/19 14:28 PM - Last Modified 09/30/20 07:13 AM
Objective
Palo Alto Networks has started supporting TACACS+ with the release of PAN-OS 7.0. This document explains the steps to configure TACACS+ authentication on the Palo Alto Networks firewall for read-only and read-write access using Cisco ISE. We will explain how to configure both Palo Alto Networks firewall and Cisco ISE.
Procedure
On Palo Alto Networks Firewall
- We will start with configuring the TACACS+ server profile on the Firewall under Device --> Server Profiles --> TACACS+. Please press the "Add" button in order to add the Cisco ISE details as below:
- You can chose either PAP or CHAP for the authentication protocol, make sure that ISE authentication profile supports the one chosen in the above configuration.
- Enter the Server details (ip, secret and port) and then click "Ok".
- Create an authentication Profile specifying the method as TACACS+ also the TACACS+ server profile which was created earlier in step#1 under Device --> Setup --> Authentication Profile and then click "OK" once done.
-
Create two admin roles under Device -- > Admin Roles, one for Read-Only and the other for Read-Write as below:
Read-Write Role
Read-Only Role- You can specify exactly what the user can control or see on Web UI, via XML/Rest API and command line.
- For Read-Write role everything is enabled and "superuser" role for CLI was added, while for the Read-Only role we disabled some functionalities and added the "superreader" role for the CLI.
- Configure the Authentication Settings to use the authentication profile configured earlier under Device --> Management --> Authentication Settings and press the "Gear" to the top right of the box:
On Cisco ISE:
Note: In this document we are using version 2.1, later versions should be the same or with few differences, refer to the Cisco ISE user guide if needed.
Note: In this document we are using the local store to authenticate users, which means we will configure users locally to be used later by the firewall authentication, you can use another identity source like Active Directory as a user store if needed, make sure to specify the identity store or sequence in the necessary authentication rule.
Note: In this document we are using the local store to authenticate users, which means we will configure users locally to be used later by the firewall authentication, you can use another identity source like Active Directory as a user store if needed, make sure to specify the identity store or sequence in the necessary authentication rule.
- Create users under Work Centers --> Device Administration --> Identities as below:
- Add the name, password and any other attribute needed as per the requirements, then click "Save".
- In the above snapshot we created a user named "superadmin" which will have the Read-Write role, another user is also created with the name "Read-only" for Read-Only role.
- Create Device Groups in order to differentiate the request/response for the Firewall and the Panorama under Work Centers --> Device Administration --> Network Device Groups as below:
- Created a group type named "Palo Alto Networks" with two groups "Firewall" and "Panorama"
- Created a group type named "Palo Alto Networks" with two groups "Firewall" and "Panorama"
- Create the Network Devices (Authenticators) which in our case are the Palo Alto Networks Firewall/Panorama from Work Centers --> Device Administration --> Network Resources as below:
- In this step, we configure the Firewall parameters in ISE in order to make it aware of the source of the request, if the device was not configured then the ISE would drop the request, also you can see that we included the pre-configured group as Firewall in order to use it later for matching purposes, also we enabled TACACS and added the shared secret, make sure to use the same shared secret configured on the firewall.
- In this step we will configure the conditions which the ISE will use in order to match the request for its Authorization rule and then provide it the correct Shell profile (authorization profile), to configure it, go to Work Centers --> Device Administration --> Policy elements --> Authorization Simple Conditions , if the requirement to have compound condition then you can use it instead.
- We will create two authorization conditions matching the username within the TACACS req check the below snapshot:
Read-write User
Read-Only User - Now we need to create authorization result, which once we meet the above condition the Cisco ISE would provide parameters within the result (authorization profile) in order to let the Firewall/Panorama match the user with the correct role as per the configuration done earlier, you can go to Work Centers --> Device Administration --> Policy Elements --> Result --> TACACS Profiles as below:
Authorization Profile Read-only
- We have specified the vendor specific attribute for the Admin role and assigned it a value which is actually the role configured in the Firewall/Panorama, for more information about the VSAs please use the link below:
- The same authorization profile will be configured for the Read-Write role in order to be used later as a result for superadmin successful authorization.
- In order to configure the allowed protocols which should be supported by ISE then you can go to Allowed Protocols from the same Tab as below:
- Now we will create the authentication and authorization rules (Policy Set) which the ISE will use to match the Tacacs Request attributes and provide the appropriate response based on them, you can go to Work Centers --> Device Administration --> Device Admin Policy Sets :
Policy Set
Authentication Policy
Authorization Policy
Testing:
Now we test both GUI and CLI Access, also will view the results on the Firewall and the reports on ISE
Read-Only Access to Firewall:
GUI:
- Fewer number of tabs appeared once logged in as read-only user.
CLI:
Cisco ISE Logs:
- The Response below provided the VSA's with a value equals to Read-only Access.
Read-Write Access to Firewall:
GUI:
CLI:
- You can clearly see the difference now from CLI and GUI between Read-Only and Read-Write roles.
Cisco ISE logs:
Read-Only Access to Panorama:
GUI:
CLI:
Read-Write Access to Panorama:
GUI:
CLI:
Troubleshooting:
Note: We will cover some basic troubleshooting methods from both sides of the PAN Firewall/Panorama and Cisco ISE as below:Palo Alto Networks devices:
- Enable debugs for authentication using the command debug authentication on debug from CLI, the result can be seen in the log file authd using the command less mp-log authd, an example can be seen as below:
For superadmin:
admin@aalrefai-PAN9.0-1(active)> test authentication authentication-profile TACACS username superadmin password
Enter password :
Target vsys is not specified, user "superadmin" is assumed to be configured with a shared auth profile.
Do allow list check before sending out authentication request...
name "superadmin" is in group "all"
Authentication to TACACS+ server at '10.193.112.145' for user 'superadmin'
Server port: 49, timeout: 3, flag: 0
Egress: 10.193.112.132
Attempting PAP authentication ...
PAP authentication request is created
PAP authentication request is sent with priv_lvl=1 user=superadmin remote address=10.193.112.132
Authorization request is created
Authorization request sent with priv_lvl=1 user=superadmin service=PaloAlto protocol=firewall remote address=10.193.112.132
Authorization succeeded
Number of VSA returned: 2
VSA[0]: PaloAlto-Admin-Role=Read-Write
VSA[1]: PaloAlto-Panorama-Admin-Role=Read-Write
Authentication succeeded!
Authentication succeeded for user "superadmin"
Enter password :
Target vsys is not specified, user "superadmin" is assumed to be configured with a shared auth profile.
Do allow list check before sending out authentication request...
name "superadmin" is in group "all"
Authentication to TACACS+ server at '10.193.112.145' for user 'superadmin'
Server port: 49, timeout: 3, flag: 0
Egress: 10.193.112.132
Attempting PAP authentication ...
PAP authentication request is created
PAP authentication request is sent with priv_lvl=1 user=superadmin remote address=10.193.112.132
Authorization request is created
Authorization request sent with priv_lvl=1 user=superadmin service=PaloAlto protocol=firewall remote address=10.193.112.132
Authorization succeeded
Number of VSA returned: 2
VSA[0]: PaloAlto-Admin-Role=Read-Write
VSA[1]: PaloAlto-Panorama-Admin-Role=Read-Write
Authentication succeeded!
Authentication succeeded for user "superadmin"
For Read-only:
admin@aalrefai-PAN9.0-1(active)> test authentication authentication-profile TACACS username Read-only password
Enter password :
Target vsys is not specified, user "Read-only" is assumed to be configured with a shared auth profile.
Do allow list check before sending out authentication request...
name "Read-only" is in group "all"
Authentication to TACACS+ server at '10.193.112.145' for user 'Read-only'
Server port: 49, timeout: 3, flag: 0
Egress: 10.193.112.132
Attempting PAP authentication ...
PAP authentication request is created
PAP authentication request is sent with priv_lvl=1 user=Read-only remote address=10.193.112.132
Authorization request is created
Authorization request sent with priv_lvl=1 user=Read-only service=PaloAlto protocol=firewall remote address=10.193.112.132
Authorization succeeded
Number of VSA returned: 2
VSA[0]: PaloAlto-Admin-Role=Read-only
VSA[1]: PaloAlto-Panorama-Admin-Role=Read-only
Authentication succeeded!
Authentication succeeded for user "Read-only"
Enter password :
Target vsys is not specified, user "Read-only" is assumed to be configured with a shared auth profile.
Do allow list check before sending out authentication request...
name "Read-only" is in group "all"
Authentication to TACACS+ server at '10.193.112.145' for user 'Read-only'
Server port: 49, timeout: 3, flag: 0
Egress: 10.193.112.132
Attempting PAP authentication ...
PAP authentication request is created
PAP authentication request is sent with priv_lvl=1 user=Read-only remote address=10.193.112.132
Authorization request is created
Authorization request sent with priv_lvl=1 user=Read-only service=PaloAlto protocol=firewall remote address=10.193.112.132
Authorization succeeded
Number of VSA returned: 2
VSA[0]: PaloAlto-Admin-Role=Read-only
VSA[1]: PaloAlto-Panorama-Admin-Role=Read-only
Authentication succeeded!
Authentication succeeded for user "Read-only"
- One more thing can be done which taking Tcpdump captures for the actual traffic generated , by default the firewall uses the management interface to communicate with the TACACS server, if it is changed to another interface then you can take packet captures from the monitor --> packet captures , else you have to create tcpdump captures on the CLI as per the below link:
Cisco ISE:
- Live logs:
Operations --> Tacacs --> live logs
- Reports:
Operations --> Reports --> Device Administration --> Authorization / Authentication
- Packet Captures:
Operations --> Troubleshoot --> Diagnostic Tools --> TCP Dump
- Debug Logs:
Raise the log level to debug from Administration --> System --> Logging --> Debug Log Configuration, then choose the device which is processing the TACACS request and raise the log file runtime-AAA to debug.
You can download the whole support bundle or only the log file from Operations --> Troubleshoot --> Download Logs , Choose either support bundle or Debug Logs.