Using Remotely configured Role Names on a Palo Alto firewall

I’ve previously used a mix of LDAP, RADIUS, and TACACS authentication for administrator access on Palo Alto firewalls, but have never done so without local accounts configured on each device. Since our Palo Alto VM-300s are being turned over to the larger parent company with over 20 admins, it is no longer practical to have individual accounts as we needed to control group policy / admin role centrally on the authentication server.

Still on software version 8.1.18, it was a bit confusing how to do this as there were several outdated docs but there, but eventually I found https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIxCAK which got me on the right track.

Palo Alto Device Setup

Here’s the steps to do this on the Palo Alto device:

  1. If not done already, create a RADIUS or TACACS server profile
  2. If not done already, create an Authentication Profile
  3. Under Device -> Admin Roles, create a new role.
  4. Create or modify a test admin account, defined locally, by setting it to use that role
  5. After verifying roles work as expected, delete that account.
  6. Under Device -> Setup -> Management Tab -> Authentication Settings, set the Authentication Profile for administrative accounts that aren’t defined locally

RADIUS Server Setup

If not done so already, setup a user group to Admin role name mapping on the authentication server. In RADIUS, this is done by adding vendor-specific attribute (VSA) which maps vendor code 25461 to the Admin Role name for the appropriate group. Use Attribute number 1, format = String, and set the attribute value to the admin role name that was created above. This is similar to how the CheckPoints (vendor code 2620) operate.

Here’s an example using NPS on Windows Server 2012R2

Upon successful authentication, the authentication server will result the role name, and the user should be set to that role.

Cisco ISE (TACACS) Server Setup

The process is fundamentally the same, and can be found here:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMYmCAO

Note the case is not consistent on their group names: they use “Read-Write” and “Read-only”. You can change these to whatever values you want, as long as they’re in sync.

Advertisement

Giving read-only access on Cisco IOS-XE with RADIUS authentication

Had a simple but time-consuming problem today.  Our Cisco IOS-XE 16.12 routers authenticate to AD via RADIUS to Microsoft NPS, with certain AD group(s) having admin privileges.  On the router side, configuration looks like this, where 10.10.10.10 is the NPS server:

aaa group server radius MyRADIUS
 server-private 10.10.10.10 auth-port 1812 acct-port 1813 key 0 abcd1234
 ip vrf forwarding Mgmt-intf
!
aaa new-model
aaa session-id common
!
aaa authentication login default local group MyRADIUS
aaa authentication enable default none
aaa authorization config-commands
aaa authorization exec default local group MyRADIUS if-authenticated

In NPS, I have a policy to match the appropriate Windows Group with Authentication Type = PAP and NAS Port Type = Virtual.  In the Settings tab, I then have this Vendor Specific RADIUS Attribute:

Name: Cisco-AV-Pair
Vendor: Cisco
Value: priv-lvl=15

This allows users in this group to SSH to any router and immediately have privilege level 15, which gives them full admin access.

Now and I needed to give a certain AD group read-only access to view running-configuration.  So I create a new policy matching to that AD group, and in the RADIUS attributes, under Vendor Specific, I add this one:

Name: Cisco-AV-Pair
Vendor: Cisco
Value: priv-lvl=7

The test account could then SSH to the router and verify privilege level was 7:

Router#show priv
Current privilege level is 7

I then downgraded privileges on each router so that only level 3 was required to view running-config:

privilege exec level 3 show running-config view full
privilege exec level 3 show running-config view
privilege exec level 3 show running-config
privilege exec level 3 show

But, when doing “show running-config”, they would just get a nothing back in return.  As it turns out I needed one more step; lowering the privilege for viewing files on the router

file privilege 3

Now it works:

Router#show running-config view full
Building configuration...

Current configuration : 15124 bytes
!
! Last configuration change at 15:39:15 UTC Tue Mar 17 2020 by admin
! NVRAM config last updated at 15:39:21 UTC Tue Mar 17 2020 by admin
!
version 16.12
service timestamps debug datetime msec
service timestamps log datetime localtime show-timezone
service password-encryption
no service dhcp
service call-home