Configure TACACS+ Authentication for a WildFire Appliance
Configure TACACS+ authentication for a WildFire appliance.
You can use a TACACS+ server to authenticate administrative access to the WildFire appliance CLI. You can also define Vendor-Specific Attributes (VSAs) on the TACACS+ server to manage administrator authorization. Using VSAs enables you to quickly change the roles, access domains, and user groups of administrators through your directory service, which is often easier than reconfiguring settings on Panorama.
- Configure TACACS+ authentication.
- Add a TACACS+ server profile.The profile defines how the WildFire appliance connects to the TACACS+ server.
- SelectandPanoramaServer ProfilesTACACS+Adda profile.
- Enter aProfile Nameto identify the server profile.
- Enter aTimeoutinterval in seconds after which an authentication request times out (default is 3; range is 1–20).
- Select theAuthentication Protocol(default isCHAP) that Panorama uses to authenticate to the TACACS+ server.
- SelectCHAPif the TACACS+ server supports that protocol; it is more secure thanPAP.
- Addeach TACACS+ server and enter the following:
- Nameto identify the server.
- TACACS+ ServerIP address or FQDN.
- Secret/Confirm Secret(a key to encrypt usernames and passwords).
- ServerPortfor authentication requests (default is 49).
- ClickOKto save the server profile.
- Assign the TACACS+ server profile to an authentication profile.The authentication profile defines authentication settings that are common to a set of administrators.
- SelectandPanoramaAuthentication ProfileAdda profile.
- Enter aNameto identify the profile.
- Set theTypetoTACACS+.
- Select theServer Profileyou configured.
- SelectRetrieve user group from TACACS+to collect user group information from VSAs defined on the TACACS+ server.Panorama matches the group information against the groups you specify in the Allow List of the authentication profile.
- SelectAdvancedand, in the Allow List,Addthe administrators that are allowed to authenticate with this authentication profile.
- ClickOKto save the authentication profile.
- Configure the authentication for the WildFire appliance.
- Selectand select the WildFire appliance you previously added.PanoramaManaged WildFire Appliance
- Select theAuthentication Profileyou configured in the previous step.If a global authentication profile is not assigned you must assign an authentication profile to each individual local administrator to leverage remote authentication.
- Configure the authenticationTimeout Configurationfor the WildFire appliance.
- Enter the number ofFailed Attempts before a user is locked out of the WildFire appliance CLI.
- Enter theLockout Time, in minutes, for which the WildFire appliance locks out a user account after that user reaches the configured number ofFailed Attempts.
- Enter theIdle Timeout, in minutes, before the user account is automatically logged out due to inactivity.
- Enter theMax Session Countto set how many user accounts can simultaneously access the WildFire appliance.
- Enter theMax Session Timethe administrator can be logged in before being automatically logged out.
- Add the WildFire appliance administrators.Administrators may either be added as a local administrator or as an imported Panorama administrator—but not both. Adding the same administrator as both a local administrator and as an imported Panorama administrator is not supported and causes the Panorama commit to fail. For example, the commit to Panorama fails if you addadmin1as both a local and Panorama administrator.
- Addand configure new administrators unique to the WildFire appliancer. These administrators are specific to the WildFire appliance for which they are created and you manage these administrators from this table.
- Addany administrators configured on Panorama. These administrators are created on Panorama and imported to the WildFire appliance.
- ClickOKto save the WildFire appliance authentication configuration.
- Commitand thenCommit and Pushyour configuration changes.
- Access the WildFire appliance CLI to verify you can successfully access the WildFire appliance using the local admin user.
Recommended For You
Recommended videos not found.