TACACS+ User Account Management

You can now use Terminal Access Controller Access-Control System Plus (TACACS+) Vendor-Specific Attributes (VSAs) to manage firewall and Panorama administrator accounts on an external server. Using an external server to centrally manage all administrators is useful in deployments where you don’t want to use the firewall and Panorama to manage a subset of administrators. You can manage both authentication and authorization for administrators. For authorization, TACACS+ VSAs enable you to quickly change the roles, access domains, and user groups of administrators through your directory service instead of reconfiguring settings on the firewall and Panorama.
In this example procedure, you configure authentication and authorization for firewall administrator accounts that you manage on a TACACS+ server.
  1. Select
    Device
    Server Profiles
    TACACS+
    and
    Add
    a TACACS+ server profile to define how the firewall connects to the server.
    As a best practice, select
    CHAP
    if the TACACS+ server supports that
    Authentication Protocol
    ; it is more secure than
    PAP
    .
    tacacs_server_profile.png
  2. Select
    Device
    Authentication Profile
    and
    Add
    an authentication profile to specify the server profile you configured and to configure authentication settings.
    You must
    Retrieve user group from TACACS+
    to collect user group information from VSAs defined on the TACACS+ server. The firewall matches the group information against the groups you specify in the Allow List (
    Advanced
    settings) of the authentication profile.
    authentication_profile_tacacs.png
  3. Enable the firewall to use the authentication profile for all administrators—Select
    Device
    Setup
    Management
    , edit the Authentication Settings, select the
    Authentication Profile
    you configured, and click
    OK
    .
  4. Configure an Admin Role profile if the administrator will use a custom role instead of a predefined (dynamic) role.
  5. Select
    Device
    Access Domain
    and
    Add
    access domains if the firewall has more than one virtual system.
  6. Commit
    your changes.
  7. Configure the TACACS+ server—Refer to your TACACS+ server documentation for the steps to:
    • Add the firewall IP address or hostname as the TACACS+ client.
    • Add the administrator accounts.
    If you selected
    CHAP
    as the
    Authentication Protocol
    , you must define accounts with reversibly encrypted passwords. Otherwise, CHAP authentication will fail.
    • Define TACACS+ VSAs for the role, access domain, and user group of each administrator.
  8. Verify that the TACACS+ server performs authentication and authorization for administrators by logging in to the firewall web interface with an administrator account that you added to the TACACS+ server. Verify the following:
    • You can access only the web interface pages that are allowed for the role you associated with the administrator.
    • In the
      Monitor
      ,
      Policies
      , and
      Objects
      tabs, you can access only the virtual systems that are allowed for the access domain you associated with the administrator.

Related Documentation