Security

Hi guys,

We have a CPPM running 6.6.5.93747.

I've created a service to Authenticate and Authorize admin user to login in Palo Alto Networks firewall using TACACS+. The Authenticate step are ok... The user can login on the Firewall using CPPM as TACACS+ Server. The problem is in Authorization. I cannot enforce admin group privilege. 

The PA firewall sent some parameter on authentication proccess: 

Authorization request sent with priv_lvl=1 user=tacacsuser service=PaloAlto protocol=firewall

I've attached Access Tracker "Authorizations" and "Alerts" screens with the errors.

I need sent back the attribute "PaloAlto-Admin-Role" with name of the user profile.

Authorization support using TACACS+ are new in PA firewall. It was inclued in the latest major version released a month ago.. So, I don't know if someone else will have the same problem as me. Therefore, if you have other kind of scenario that I can copy, I appreciate.

Thank you.

Paulo R.

Hi Tim,

PANOS 8.0.1.

Here a PA Doc of a configuretion in Cisco ACS using Authorization profiles: 

https://live.paloaltonetworks.com/t5/Configuration-Articles/Palo-Alto-Management-Access-through-TACACS/ta-p/149144

Hi..

I found the issue.. As PANOS sent "service=PaloAlto protocol=firewall " in Authorization, we need create a TACACS+ Services called PaloAlto:firewall with "PaloAlto-Admin-Role" string.

Thanks 

Yes, that's correct. Attached is the TACACS+ dictionary.

Attachment(s)

tacacs-dict--paloalto-firewall--v1-0.xml.zip   1 KB 1 version

I seem to be failing the authorization part too (Authentications show passed, but Firewall denies me access)

I added the dictionary listed in this post and dumped my SHELL profile for a PaloAlto:Firewall version that had the PaloAlto-Admin-Role included, and return "superuser" , but man, can't figure out why its rejected.

PANOS 8.0.7, 6.7.2 Clearpass