Admin role configured on external authentication server is not getting applied for firewall admin user.

• Same admin user configured on tacacs and local database.
• Tacacs server configured with custom role and local database configured with read-only role
• Auth sequence is set to Tacacs followed by local database for management access.
• Vendor Specific Attributes (VSA) for admin role correctly configured (PaloAlto-Admin_Role) and received as per authd.log (less mp-log authd.log)
• Instead of applying the VSA role, the Firewall applies the locally configured admin role to the admin user.

debug: pan_authd_handle_group_req(pan_auth_state_engine.c:1418): start to authorize user "user1"
debug: pan_auth_mgr_get_userinfo(pan_auth_mgr.c:1837): Found userinfo (name/role/ado) cache entry: user1/Custom_all/
debug: pan_auth_cache_get_pw_profile_global(pan_auth_cache_pw_complexity.c:114): password complexity is NOT enabled, so change_expiry_period=0, change_warning_period=0, expired_adminlogin_count=0, expiry_grace_period=0 are ignored
debug: pan_authd_handle_group_req(pan_auth_state_engine.c:1527): Sent authorization response for user "user1": role/domain="Custom_all/"; expiring_in_days=-1; rem_grace_period=-1, rem_login_count=-1

• Palo Alto Firewall
• ​​​​​​PAN-OS 9.1 or higher
• Tacacs configuration.

1. Delete the admin account from the local admin database and only use an external server for authentication and authorization of the admin account.  In this case the firewall will apply the admin-role provided by the external server.  
2. Apply the same admin role when the user is authenticated on an external server or local database.

• Palo Alto Management Access with TACACS
• External Tacacs.net Sample Configuration file