Cisco RADIUS ACS 5.6 authentication – multiply admin roles

Prepare firewall for multi role admin access:
Create RADIUS Server Profile (Server name, IP address and secret). Make sure it is shared.
Create Access Domains: Device/Access Domain:
          – all-vsys-domain (including all vsys)
– ONE-domain (including only ONE-vsys)
Create auth profile: Device/Authentication Profile:
         –  RadiusAuthProfile-ACS calling in Radius server profile and authentication Radius, allow user list All
– LocalAuthentication-Shared – using local database for authentication, all users.
Create Authentication Sequence, as shared location, including authentication profiles, radius first and local second in the row.
Configure Authentication profile: Device/Management/Authentication settings setup authentication profile that includes radius and local
Create different admin roles: Device/Admin Roles:
          – rwadmin, role device, CLI Role is superuser.
          – roadmin, role device, CLI role superreader. Disable access to Dashboard, disable Commit. Here is place where you can put restrictions to portal access
Admin roles are called by Radius server and must be entered exactly as they appear here, in “PaloAlto-Admin-Role – string – roadmin”
Prepare ACS for PaloAlto:

System administration/configuration/protocols/RADIUS/RADIUS VSA – create PaloAlto dictionary element using vendor ID of 25461 . Inside of that element create following 5 attributes:

Pic1
Network resources/Network Device Groups/Device Type – create new group for firewalls (“PAN-Firewalls”)
Network Device Groups/Device Types – create new devices types “PAN-Firewalls” and “Panorama”
Network Device Groups/Location – create new locations “PAN-Firewalls” and “Panorama”
Network resources/Network devices and AAA clients – add devices as per below. Here is the place where RADIUS secret key must be created.
Pic2
Users and Identity Stores/Identity Groups – create user groups:
Pic3
Users and Identity Stores/Internal identity stores/Users – create users that will be used to login to devices:
Pic4
Policy Elements/Authorization and permissions/network access/authorization profiles – create profiles:
     PAN-RO-AllVsys with following RADIUS attributes:
                    – PaloAlto-Admin-Role – string – roadmin
                    – PaloAlto-Admin-Access-Domain – string – FBC-domain (here is where you change access to either all vsys or one vsys)
Pic5
Sample of created profiles; Permit Access is default pre-built profile on ACS:
Pic6
Access Policies/Service Selection Rules – create Service Selection Policy matching protocol (Radius) and Device filter (PaloAltoFirewalls). If you don’t see those two conditions, click on Customize on previews screen and add required conditions.
Pic7
Access Policies/Default Network Access/Authorization – create authorization policies including locations, Identity group, and authorization profiles. Example of AllVsys access policy:
Pic8
Test access to PAN firewalls by logging in to PAN with users created on ACS.
Very useful command on PAN to troubleshoot authentication that looks for a live auth log is: > tail follow yes mp-log authd.log

 

Advertisements