I’ve previously used a mix of LDAP, RADIUS, and TACACS authentication for administrator access on Palo Alto firewalls, but have never done so without local accounts configured on each device. Since our Palo Alto VM-300s are being turned over to the larger parent company with over 20 admins, it is no longer practical to have individual accounts as we needed to control group policy / admin role centrally on the authentication server.
Here’s the steps to do this on the Palo Alto device:
If not done already, create a RADIUS or TACACS server profile
If not done already, create an Authentication Profile
Under Device -> Admin Roles, create a new role.
Create or modify a test admin account, defined locally, by setting it to use that role
After verifying roles work as expected, delete that account.
Under Device -> Setup -> Management Tab -> Authentication Settings, set the Authentication Profile for administrative accounts that aren’t defined locally
RADIUS Server Setup
If not done so already, setup a user group to Admin role name mapping on the authentication server. In RADIUS, this is done by adding vendor-specific attribute (VSA) which maps vendor code 25461 to the Admin Role name for the appropriate group. Use Attribute number 1, format = String, and set the attribute value to the admin role name that was created above. This is similar to how the CheckPoints (vendor code 2620) operate.
Here’s an example using NPS on Windows Server 2012R2
Upon successful authentication, the authentication server will result the role name, and the user should be set to that role.
Cisco ISE (TACACS) Server Setup
The process is fundamentally the same, and can be found here:
Licensing costs start at just under $100 per user per year. For compute costs, these are common supported instance sizes in a typical region:
t2.micro 1 vCPU, 1 GB RAM, ~75 Mpbs = ~$100/yr
t2.small 1 vCPU, 2 GB RAM, ~125 Mbps = ~$200/yr
t2.medium 2 vCPU, 2 GB RAM, ~250 Mbps = ~ $400/yr
t2.large 2 vCPU, 8 GB RAM, ~500 Mbps = ~$800/yr
SSH to the IP address using the correct private SSH key and ‘openvpnas’ as the username
The setup wizard should start automatically. To run it again:
To use the second (eth1) interface as the internal interface, get the IP address from AWS console and then edit /etc/netplan/50-cloud-init.yaml to add these lines ( (i.e. 192.168.101.123/255.255.255.0)
addresses: [192.168.101.123/24, ]
After saving the file, restart netplan and verify eth1 has the new IP address
sudo netplan apply
To add internal static routes (for example, the RFC-1918 blocks) add these lines too:
- to: 192.168.0.0/16
- to: 172.16.0.0/12
- to: 10.0.0.0/8
Then another restart netplan and verify the routes are working as entered
sudo netplan apply
Set an initial password for the openvpn admin account via this command: