TACACS+ User Account Management
You can now use Terminal Access Controller Access-Control System Plus (TACACS+) Vendor-Specific Attributes (VSAs) to manage firewall and Panorama administrator accounts on an external server. Using an external server to centrally manage all administrators is useful in deployments where you don’t want to use the firewall and Panorama to manage a subset of administrators. You can manage both authentication and authorization for administrators. For authorization, TACACS+ VSAs enable you to quickly change the roles, access domains, and user groups of administrators through your directory service instead of reconfiguring settings on the firewall and Panorama.
In this example procedure, you configure authentication and authorization for firewall administrator accounts that you manage on a TACACS+ server.
- Select DeviceServer ProfilesTACACS+ and Add a
TACACS+ server profile to define how the firewall connects to the
server.As a best practice, select CHAP if the TACACS+ server supports that Authentication Protocol; it is more secure than PAP.
- Select DeviceAuthentication
Profile and Add an
authentication profile to specify the server profile you configured
and to configure authentication settings.You must Retrieve user group from TACACS+ to collect user group information from VSAs defined on the TACACS+ server. The firewall matches the group information against the groups you specify in the Allow List (Advanced settings) of the authentication profile.
- Enable the firewall to use the authentication profile for all administrators—Select DeviceSetupManagement, edit the Authentication Settings, select the Authentication Profile you configured, and click OK.
- Configure an Admin Role profile if the administrator will use a custom role instead of a predefined (dynamic) role.
- Select DeviceAccess Domain and Add access domains if the firewall has more than one virtual system.
- Commit your changes.
- Configure the TACACS+ server—Refer to your TACACS+ server
documentation for the steps to:
If you selected CHAP as the Authentication Protocol, you must define accounts with reversibly encrypted passwords. Otherwise, CHAP authentication will fail.
- Add the firewall IP address or hostname as the TACACS+ client.
- Add the administrator accounts.
- Define TACACS+ VSAs for the role, access domain, and user group of each administrator.
- Verify that the TACACS+ server performs authentication
and authorization for administrators by logging in to the firewall
web interface with an administrator account that you added to the
TACACS+ server. Verify the following:
- You can access only the web interface pages that are allowed for the role you associated with the administrator.
- In the Monitor, Policies, and Objects tabs, you can access only the virtual systems that are allowed for the access domain you associated with the administrator.
Configure TACACS+ Authentication
Configure TACACS+ Authentication You can configure TACACS+ authentication for end users and firewall or Panorama administrators. You can also use a TACACS+ server to manage ...
Configure TACACS+ Authentication for Panorama Administrators
Configure TACACS+ Authentication for Panorama Administrators You can use a TACACS+ server to authenticate administrative access to the Panorama web interface. You can also define ...
TACACS+ Terminal Access Controller Access-Control System Plus (TACACS+) is a family of protocols that enable authentication and authorization through a centralized server. TACACS+ encrypts usernames ...
Device > Server Profiles > TACACS+
Device > Server Profiles > TACACS+ Select Device Server Profiles TACACS+ or Panorama Server Profiles TACACS+ to configure the settings that define how the firewall ...
Configure RADIUS Authentication
Configure RADIUS Authentication You can configure RADIUS authentication for end users and firewall or Panorama administrators. For administrators, you can use RADIUS to manage authorization ...
Authentication Profiles and Sequences
Authentication Profiles and Sequences An authentication profile defines the authentication service that validates the login credentials of administrators when they access Panorama. The service can ...
Configure RADIUS Authentication for Panorama Administrators
Configure RADIUS Authentication for Panorama Administrators You can use a RADIUS server to authenticate administrative access to the Panorama web interface. You can also define ...
Administrative Authentication You can configure the following types of authentication and authorization (role and access domain assignment) for firewall administrators: Authentication Method Authorization Method Description ...
Configure Local or External Authentication for Firewall Adm...
Configure Local or External Authentication for Firewall Administrators You can use Local Authentication and External Authentication Services to authenticate administrators who access the firewall. These ...