There are several ways of authenticating toward the management interface of a Palo Alto Networks Firewall (PANW). The authentications options boils down to three distinct ways namely (or mixes of the three):
- Local Username, Local Password
- Local Username, Remote Password
- Remote Username, Remote Password
For a small deployment with few administrators option #1 i viable through not wildly secure as the on-box password is seldom changed. Better security is obtained in option #2 by linking the local User (The reason for having the local User is in order to provide the assigned roles and privileges) to an external password source (LDAP, RADIUS, TACACS, SAML, Kerberos) as this is often enforced changed at regular intervals. However this scales very poorly when the amount of administrators becomes greater or changes often. For these environments, and as a general best-practice, remote authentication and authorization is preferred which is option #3.
By far the most common way of implementing option #3 is through RADIUS, though TACACS and SAML is also supported for this deployment (but not LDAP). RADIUS authentication can be implemented in many different products which includes a RADIUS server (most often NAC products). Microsoft NPS can be used if cost is paramount but is not very admin friendly and scales poorly if also needed for 802.1x purposes. In this post I will show how to implement it using Cisco Identity Service Engine (ISE) 2.3 as this is a common platform throughout the industry.
Prepping Cisco ISE 2.3
Cisco ISE does not come prepopulated with the necessary RADIUS Vendor Specific Attributes (VSA) required for Palo Alto Networks. These needs to be implemented by hand, either by manually writing the following values into a custom dictionary or by importing the one below I have exported for the same purpose.
In order for everyone not having to write everything themselves I have Exported the Dictionary from ISE 126.96.36.1998 for easily download and import (dictionary.PaloAltoNetworks). It is fairly easy to import the new dictionary as shown below.
After the import it should look something like below. Note that there are 10 defined VSAs but only the five first are used for authorization. The remaining five are used for Global Protect.
The next step is to add a new network device profile with a reference to the newly created dictionary.
The last step is to add the Firewalls to the list of network devices
Then the needed authorization profiles can be made
Values for the Admin-Role attribute (which is the most important one) are given in the table below:
# PaloAlto-Admin-Role is the name of the role for the user # it can be the name of a custom Admin role profile configured on the # PAN device or one of the following predefined roles # superuser : Superuser # superreader : Superuser (read-only) # deviceadmin : Device administrator # devicereader : Device administrator (read-only) # vsysadmin : Virtual system administrator # vsysreader : Virtual system administrator (read-only)
And lastly the authentication policies can be written in ISE as usual.
Setting up the Palo Alto Firewall
Only a few steps are required in order to set RADIUS validation up on the Palo Alto Firewall.
Pressing the configure button (4) will take you to a simple menu. Note again that only some authentication methods are supported here (this is due to the capability of role assignment).
Finally we are able to login using our validated credentials from Cisco ISE as well as having the privileges and roles specified in the Palo Alto Firewall but referenced through Cisco ISE.