04-18-2017 03:07 PM
We have a CPPM running 126.96.36.199747.
I've created a service to Authenticate and Authorize admin user to login in Palo Alto Networks firewall using TACACS+. The Authenticate step are ok... The user can login on the Firewall using CPPM as TACACS+ Server. The problem is in Authorization. I cannot enforce admin group privilege.
The PA firewall sent some parameter on authentication proccess:
Authorization request sent with priv_lvl=1 user=tacacsuser service=PaloAlto protocol=firewall
I've attached Access Tracker "Authorizations" and "Alerts" screens with the errors.
I need sent back the attribute "PaloAlto-Admin-Role" with name of the user profile.
Authorization support using TACACS+ are new in PA firewall. It was inclued in the latest major version released a month ago.. So, I don't know if someone else will have the same problem as me. Therefore, if you have other kind of scenario that I can copy, I appreciate.
Solved! Go to Solution.
04-18-2017 03:13 PM
Here a PA Doc of a configuretion in Cisco ACS using Authorization profiles:
04-18-2017 03:23 PM
I found the issue.. As PANOS sent "service=PaloAlto protocol=firewall " in Authorization, we need create a TACACS+ Services called PaloAlto:firewall with "PaloAlto-Admin-Role" string.
04-18-2017 03:39 PM
Yes, that's correct. Attached is the TACACS+ dictionary.