Terminal Access Controller Access-Control System Plus (TACACS+) is a family of protocols that enable authentication and authorization through a centralized server. TACACS+ encrypts usernames and passwords, making it more secure than RADIUS, which encrypts only passwords. TACACS+ is also more reliable because it uses TCP, whereas RADIUS uses UDP. You can configure TACACS+ authentication for end users or administrators on the firewall and for administrators on Panorama. Optionally, you can use TACACS+ Vendor-Specific Attributes (VSAs) to manage administrator authorization. TACACS+ VSAs enable you to quickly change the roles, access domains, and user groups of administrators through your directory service instead of reconfiguring settings on the firewall and Panorama.
The firewall and Panorama support the following TACACS+ attributes and VSAs. Refer to your TACACS+ server documentation for the steps to define these VSAs on the TACACS+ server.
This attribute is required to identify the VSAs as specific to Palo Alto Networks. You must set the value to paloalto.
This attribute is required to identify the VSAs as specific to Palo Alto Networks devices. You must set the value to firewall.
A default (dynamic) administrative role name or a custom administrative role name on the firewall.
The name of an access domain for firewall administrators (configured in the DeviceAccess Domains page). Define this VSA if the firewall has multiple virtual systems.
A default (dynamic) administrative role name or a custom administrative role name on Panorama.
The name of an access domain for Device Group and Template administrators (configured in the PanoramaAccess Domains page).
The name of a user group in the Allow List of an authentication profile.
RADIUS Remote Authentication Dial-In User Service (RADIUS) is a broadly supported networking protocol that provides centralized authentication and authorization. You can configure RADIUS authentication for ...
Configure TACACS+ Authentication for Panorama Administrator...
Configure TACACS+ Authentication for Panorama Administrators You can use a TACACS+ server to authenticate administrative access to the Panorama web interface. You can also define ...
Configure TACACS+ Authentication
Configure TACACS+ Authentication You can configure TACACS+ authentication for end users and firewall or Panorama administrators. You can also use a TACACS+ server to manage ...
Access Domains Access domains control administrative access to specific Device Groups and templates Overview of template and template stack configuration functionality. , and also control ...
Device > Access Domain
Device > Access Domain Device > Access Domain Configure access domains to restrict administrator access to specific virtual systems on the firewall. The firewall supports ...
Administrative Authentication You can configure the following types of authentication and authorization (role and access domain assignment) for firewall administrators: Authentication Method Authorization Method Description ...
Plan Your Authentication Deployment
Plan Your Authentication Deployment The following are key questions to consider before you implement an authentication solution for administrators who access the firewall and end ...
Configure RADIUS Authentication
Configure RADIUS Authentication You can configure RADIUS authentication for end users and firewall or Panorama administrators. For administrators, you can use RADIUS to manage authorization ...
Administrative Authentication You can configure the following types of authentication and authorization ( Administrative Roles and Access Domains ) for Panorama administrators: Authentication Method Authorization ...