Cisco RADIUS ACS 5.6 authentication – multiply admin roles

Prepare firewall for multi role admin access:
Create RADIUS Server Profile (Server name, IP address and secret). Make sure it is shared.
Create Access Domains: Device/Access Domain:
          – all-vsys-domain (including all vsys)
– ONE-domain (including only ONE-vsys)
Create auth profile: Device/Authentication Profile:
         –  RadiusAuthProfile-ACS calling in Radius server profile and authentication Radius, allow user list All
– LocalAuthentication-Shared – using local database for authentication, all users.
Create Authentication Sequence, as shared location, including authentication profiles, radius first and local second in the row.
Configure Authentication profile: Device/Management/Authentication settings setup authentication profile that includes radius and local
Create different admin roles: Device/Admin Roles:
          – rwadmin, role device, CLI Role is superuser.
          – roadmin, role device, CLI role superreader. Disable access to Dashboard, disable Commit. Here is place where you can put restrictions to portal access
Admin roles are called by Radius server and must be entered exactly as they appear here, in “PaloAlto-Admin-Role – string – roadmin”
Prepare ACS for PaloAlto:

System administration/configuration/protocols/RADIUS/RADIUS VSA – create PaloAlto dictionary element using vendor ID of 25461 . Inside of that element create following 5 attributes:

Network resources/Network Device Groups/Device Type – create new group for firewalls (“PAN-Firewalls”)
Network Device Groups/Device Types – create new devices types “PAN-Firewalls” and “Panorama”
Network Device Groups/Location – create new locations “PAN-Firewalls” and “Panorama”
Network resources/Network devices and AAA clients – add devices as per below. Here is the place where RADIUS secret key must be created.
Users and Identity Stores/Identity Groups – create user groups:
Users and Identity Stores/Internal identity stores/Users – create users that will be used to login to devices:
Policy Elements/Authorization and permissions/network access/authorization profiles – create profiles:
     PAN-RO-AllVsys with following RADIUS attributes:
                    – PaloAlto-Admin-Role – string – roadmin
                    – PaloAlto-Admin-Access-Domain – string – FBC-domain (here is where you change access to either all vsys or one vsys)
Sample of created profiles; Permit Access is default pre-built profile on ACS:
Access Policies/Service Selection Rules – create Service Selection Policy matching protocol (Radius) and Device filter (PaloAltoFirewalls). If you don’t see those two conditions, click on Customize on previews screen and add required conditions.
Access Policies/Default Network Access/Authorization – create authorization policies including locations, Identity group, and authorization profiles. Example of AllVsys access policy:
Test access to PAN firewalls by logging in to PAN with users created on ACS.
Very useful command on PAN to troubleshoot authentication that looks for a live auth log is: > tail follow yes mp-log authd.log