TACACS+

Terminal Access Controller Access-Control System Plus (TACACS+) is a family of protocols that enable authentication and authorization through a centralized server. TACACS+ encrypts usernames and passwords, making it more secure than RADIUS, which encrypts only passwords. TACACS+ is also more reliable because it uses TCP, whereas RADIUS uses UDP. You can configure TACACS+ authentication for end users or administrators on the firewall and for administrators on Panorama. Optionally, you can use TACACS+ Vendor-Specific Attributes (VSAs) to manage administrator authorization. TACACS+ VSAs enable you to quickly change the roles, access domains, and user groups of administrators through your directory service instead of reconfiguring settings on the firewall and Panorama.
The firewall and Panorama support the following TACACS+ attributes and VSAs. Refer to your TACACS+ server documentation for the steps to define these VSAs on the TACACS+ server.
Name
Value
service
This attribute is required to identify the VSAs as specific to Palo Alto Networks. You must set the value to
paloalto
.
protocol
This attribute is required to identify the VSAs as specific to Palo Alto Networks devices. You must set the value to
firewall
.
PaloAlto-Admin-Role
A default (dynamic) administrative role name or a custom administrative role name on the firewall.
PaloAlto-Admin-Access-Domain
The name of an access domain for firewall administrators (configured in the
Device
Access Domains
page). Define this VSA if the firewall has multiple virtual systems.
PaloAlto-Panorama-Admin-Role
A default (dynamic) administrative role name or a custom administrative role name on Panorama.
PaloAlto-Panorama-Admin-Access-Domain
The name of an access domain for Device Group and Template administrators (configured in the
Panorama
Access Domains
page).
PaloAlto-User-Group
The name of a user group in the Allow List of an authentication profile.

Related Documentation