Security

Reply
Highlighted
Contributor I
Posts: 57
Registered: ‎08-28-2008

TACACS+ Authorization

Hi guys,

 

We have a CPPM running 6.6.5.93747.

I've created a service to Authenticate and Authorize admin user to login in Palo Alto Networks firewall using TACACS+. The Authenticate step are ok... The user can login on the Firewall using CPPM as TACACS+ Server. The problem is in Authorization. I cannot enforce admin group privilege. 

 

The PA firewall sent some parameter on authentication proccess: 

 

Authorization request sent with priv_lvl=1 user=tacacsuser service=PaloAlto protocol=firewall

 

I've attached Access Tracker "Authorizations" and "Alerts" screens with the errors.

 

I need sent back the attribute "PaloAlto-Admin-Role" with name of the user profile.

 

Authorization support using TACACS+ are new in PA firewall. It was inclued in the latest major version released a month ago.. So, I don't know if someone else will have the same problem as me. Therefore, if you have other kind of scenario that I can copy, I appreciate.

 

Thank you.

 

Paulo R.

Guru Elite
Posts: 8,649
Registered: ‎09-08-2010

Re: TACACS+ Authorization

What version of PANOS are you running?

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Contributor I
Posts: 57
Registered: ‎08-28-2008

Re: TACACS+ Authorization

Hi Tim,

 

PANOS 8.0.1.

 

Here a PA Doc of a configuretion in Cisco ACS using Authorization profiles: 

https://live.paloaltonetworks.com/t5/Configuration-Articles/Palo-Alto-Management-Access-through-TACACS/ta-p/149144

Contributor I
Posts: 57
Registered: ‎08-28-2008

Re: TACACS+ Authorization

Hi..

 

I found the issue.. As PANOS sent "service=PaloAlto protocol=firewall " in Authorization, we need create a TACACS+ Services called PaloAlto:firewall with "PaloAlto-Admin-Role" string.

 

Thanks 

Guru Elite
Posts: 8,649
Registered: ‎09-08-2010

Re: TACACS+ Authorization

Yes, that's correct. Attached is the TACACS+ dictionary.

 


Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Search Airheads
Showing results for 
Search instead for 
Did you mean: