The following procedure provides an overview of the tasks required to configure RADIUS Vendor-Specific Attributes (VSAs) for administrator authentication to Panorama. For detailed instructions, refer to the following Knowledge Base (KB) articles:
For Windows 2003 Server, Windows 2008 (and later), and Cisco ACS 4.0— RADIUS Vendor-Specific Attributes (VSAs). For Cisco ACS 5.2— Configuring Cisco ACS 5.2 for use with Palo Alto Networks VSAs.
Be sure to complete the following two tasks before you start this procedure:
Create the administrative accounts in the directory service that your network uses (for example, Active Directory). Set up a RADIUS server that can communicate with that directory service.
Use RADIUS Vendor-Specific Attributes for Account Authentication
Configure Panorama. Configure an Admin Role Profile if the administrator will use a custom role. Configure an Access Domain if the administrator will use a Device Group and Template role. Configure a RADIUS server profile. Configure an authentication profile. Set the authentication Type to RADIUS and assign the RADIUS Server Profile. Configure Panorama to use the authentication profile for administrator access: select Panorama > Setup > Management, edit the Authentication Settings, and select the Authentication Profile. Click OK and Commit, select Panorama for the Commit Type, and click Commit again.
Configure the RADIUS server. Add the Panorama IP address or hostname as the RADIUS client. Define the VSAs for administrator authentication. You must specify the vendor code (25461 for Panorama) and the VSA name, number, and value.

Related Documentation