TACACS+ User Account Management
You can now use Terminal Access Controller Access-Control System Plus (TACACS+) Vendor-Specific Attributes (VSAs) to manage firewall and Panorama administrator accounts on an external server. Using an external server to centrally manage all administrators is useful in deployments where you don’t want to use the firewall and Panorama to manage a subset of administrators. You can manage both authentication and authorization for administrators. For authorization, TACACS+ VSAs enable you to quickly change the roles, access domains, and user groups of administrators through your directory service instead of reconfiguring settings on the firewall and Panorama.
In this example procedure, you configure authentication and authorization for firewall administrator accounts that you manage on a TACACS+ server.
- SelectandDeviceServer ProfilesTACACS+Adda TACACS+ server profile to define how the firewall connects to the server.As a best practice, selectCHAPif the TACACS+ server supports thatAuthentication Protocol; it is more secure thanPAP.
- SelectandDeviceAuthentication ProfileAddan authentication profile to specify the server profile you configured and to configure authentication settings.You mustRetrieve user group from TACACS+to collect user group information from VSAs defined on the TACACS+ server. The firewall matches the group information against the groups you specify in the Allow List (Advancedsettings) of the authentication profile.
- Enable the firewall to use the authentication profile for all administrators—Select, edit the Authentication Settings, select theDeviceSetupManagementAuthentication Profileyou configured, and clickOK.
- Configure an Admin Role profile if the administrator will use a custom role instead of a predefined (dynamic) role.
- SelectandDeviceAccess DomainAddaccess domains if the firewall has more than one virtual system.
- Commityour changes.
- Configure the TACACS+ server—Refer to your TACACS+ server documentation for the steps to:
If you selectedCHAPas theAuthentication Protocol, you must define accounts with reversibly encrypted passwords. Otherwise, CHAP authentication will fail.
- Add the firewall IP address or hostname as the TACACS+ client.
- Add the administrator accounts.
- Verify that the TACACS+ server performs authentication and authorization for administrators by logging in to the firewall web interface with an administrator account that you added to the TACACS+ server. Verify the following:
- You can access only the web interface pages that are allowed for the role you associated with the administrator.
- In theMonitor,Policies, andObjectstabs, you can access only the virtual systems that are allowed for the access domain you associated with the administrator.