TACACS+ User Account Management

You can now use Terminal Access Controller Access-Control System Plus (TACACS+) Vendor-Specific Attributes (VSAs) to manage firewall and Panorama administrator accounts on an external server. Using an external server to centrally manage all administrators is useful in deployments where you don’t want to use the firewall and Panorama to manage a subset of administrators. You can manage both authentication and authorization for administrators. For authorization, TACACS+ VSAs enable you to quickly change the roles, access domains, and user groups of administrators through your directory service instead of reconfiguring settings on the firewall and Panorama.
In this example procedure, you configure authentication and authorization for firewall administrator accounts that you manage on a TACACS+ server.
  1. Select DeviceServer ProfilesTACACS+ and Add a TACACS+ server profile to define how the firewall connects to the server.
    As a best practice, select CHAP if the TACACS+ server supports that Authentication Protocol; it is more secure than PAP.
  2. Select DeviceAuthentication Profile and Add an authentication profile to specify the server profile you configured and to configure authentication settings.
    You must Retrieve user group from TACACS+ to collect user group information from VSAs defined on the TACACS+ server. The firewall matches the group information against the groups you specify in the Allow List (Advanced settings) of the authentication profile.
  3. Enable the firewall to use the authentication profile for all administrators—Select DeviceSetupManagement, edit the Authentication Settings, select the Authentication Profile you configured, and click OK.
  4. Configure an Admin Role profile if the administrator will use a custom role instead of a predefined (dynamic) role.
  5. Select DeviceAccess Domain and Add access domains if the firewall has more than one virtual system.
  6. Commit your changes.
  7. Configure the TACACS+ server—Refer to your TACACS+ server documentation for the steps to:
    • Add the firewall IP address or hostname as the TACACS+ client.
    • Add the administrator accounts.
    If you selected CHAP as the Authentication Protocol, you must define accounts with reversibly encrypted passwords. Otherwise, CHAP authentication will fail.
    • Define TACACS+ VSAs for the role, access domain, and user group of each administrator.
  8. Verify that the TACACS+ server performs authentication and authorization for administrators by logging in to the firewall web interface with an administrator account that you added to the TACACS+ server. Verify the following:
    • You can access only the web interface pages that are allowed for the role you associated with the administrator.
    • In the Monitor, Policies, and Objects tabs, you can access only the virtual systems that are allowed for the access domain you associated with the administrator.

Related Documentation