TACACS users are unable to view local administrators list

TACACS users are unable to view local administrators list

4795
Created On 01/16/24 19:16 PM - Last Modified 01/16/24 21:51 PM


Symptom


  • Customer admin role configured for the TACACS users are not able view local administrators.
  • The VSA attribute "PaloAlto-Panorama-Admin-Role=Custom-Admin-Role" is configured for TACACS users (Ref documentation).
  • This can be confirmed in authd.logs (less mp-log authd.log)
pan_authd_tacplus_authenticate(pan_authd_shared_tacplus.c:312): VSA from Tacacs+ server: attr[0] - PaloAlto-Panorama-Admin-Role=Custom-Admin-Role
GUI: Panorama > Admin roles > (Add)

image.png

 

Environment


  • Any Panorama
  • PAN-OS 9.1 and above
  • TACACS

Cause


  • Once an administrator is associated with an admin role profile, he is a role-based admin and not a superuser.
  • For security reason only superuser, and securityadmin can view administrator list on User Interface.

Resolution


To view the local administrator list via TACACS users, configure the VSA attribute to "superuser" on the TACACS Server.  
PaloAlto-Panorama-Admin-Role=superuser


Additional Information


Management access through TACACS
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000XhVQCA0&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language