Setting Up Cisco ACS 5.2 for use with Palo Alto with different groups and different roles

Setting Up Cisco ACS 5.2 for use with Palo Alto with different groups and different roles. The assumption is that you already know how to configure th...
Author: Emerald Dixon
21 downloads 4 Views 6MB Size
Report
Download PDF
Setting Up Cisco ACS 5.2 for use with Palo Alto with different groups and different roles. The assumption is that you already know how to configure the Palo Alto Device for use with Radius, and that you know how to configure different admin roles etc. If not, please refer to the palo alto manual PaloAltoRadiusVSA.pdf

1. Configuring Radius Dictionaries (Palo Alto VSA) Log in to your ACS and open the menu System Administration -> Configuration -> Dictionaries -> Protocols -> Radius -> Radius VSA

Normally there is no Palo Alto Vender Specific Dictionary Present and you’ll have to create it. So Press Create:

© Chris Camp ([email protected]) 1

And Fill in ass above, press submit. After submitting you’ll be able to go to the submenu PaloAlto (in the Radius VSA menu): System Administration -> Configuration -> Dictionaries -> Protocols -> Radius -> Radius VSA -> PaloAlto

Here you’ll have to create the 5 different attributes as above. Now you have your dictionary ready and you’ll have to use it in your Policy.

2. Configuring Authorization Profiles The first thing we’ll have to do is to create a new authorization Profile, where we can implement our VSA for use. © Chris Camp ([email protected]) 2

In this example, we will configure 2 different ones, because we use 2 roles on our device (panorama), one admin role, and one ‘read-only’ role, which we will call GIO. In the example below we only use one of the 5 Palo Alto Attributes (Palo Alto Panorama Admin Role), but if necessary you can use other or more attributes as you need them. So basicly we have 2 roles, the default admin role, and a self created role called GIO:

We will need to create two different authorization profiles (which is logical because we have two different roles with different authorizations). In ACS 5.2 go to: Policy Elements -> Authorization and Permissions -> Network Access -> Authorization Profiles

You normally already have at least the default Permit Access profile. Press Create to create a new one. Or select the Permit Access, and press duplicate:

© Chris Camp ([email protected]) 3

Change the name and the description. Go to the tab RADIUS Attributes

Select Dictionary Type: Radius Palo Alto © Chris Camp ([email protected]) 4

Select the needed Radius Attribute (in our case Panorama Admin Role) And fill in the name of your role you created on the panorama device (in the above example we used the default admins role, in the screenshot below you see the custom created GIO role). Press Add, and Submit Do the same for your 2nd role:

3. Creating Policies Now you’ll have to learn your ACS when he will have to use this custom created Authorization Profile. This is what happens in the Access Policy, here the ACS knows which profile to select and which action to take. This is very dependent of your network, which protocols and devices you use. There are many different ways to configure this. So it is possible that in your setup you’ll have to do it differently, however, with this example you might gain some insight in how ACS 5.2 works. In the example below we have both have tacacs and radius present, however the setup is still very simple. First step is to go to Access Policies -> Access Services -> Service Selection Rules Here you create a policy to help the acs decide which access service to use. In our example we just use two (which are the default, but you can also create custom ones if needed), the default device admin, and the default network admin.

© Chris Camp ([email protected]) 5

As you can see we created two simple rules, one directing all tacacs request to the Default Device admin service, and one directing all radius traffic to the default network admin. By pressing Customize (below lift) you can choose which fields to use in the conditions column. As you can see in the example we only use the condition Protocol:

If you press create you will be able to configure your own service selection policy:

© Chris Camp ([email protected]) 6

After configuring the Service Selection Rules, Go to the selected group in your rule (in our case, this is the Default Network Admin). In the menu: Access Policies -> Access Services -> Default Network Admin -> Authorization

© Chris Camp ([email protected]) 7

Here again you have the customize button where you can specify which conditions you want to select in your policy. In our example we use device ip-adress and we also have to use identity group, because we want different roles for different groups.

And then off course, you create an authorization policy:

© Chris Camp ([email protected]) 8

And the second one, with another identity group and another authorization profile:

© Chris Camp ([email protected]) 9

Press Save Changes and you’re ready to go.

© Chris Camp ([email protected]) 10

Suggest Documents

with different surface characteristics

with different surface characteristics
Read more
Religious groups can play different roles in an authoritarian context

Religious groups can play different roles in an authoritarian context
Read more
Dynamic Assessment of Grammar with Different Age Groups

Dynamic Assessment of Grammar with Different Age Groups
Read more
Living with land use change: different views and perspectives

Living with land use change: different views and perspectives
Read more
Palo Alto

Palo Alto
Read more
Setting up Instructional Groups for Success

Setting up Instructional Groups for Success
Read more
Tenable for Palo Alto Networks

Tenable for Palo Alto Networks
Read more
DEALING WITH BEING DIFFERENT A

DEALING WITH BEING DIFFERENT A
Read more
Two Different Groups of Prokaryotes

Two Different Groups of Prokaryotes
Read more
China and India: Globalization with Different Paths

China and India: Globalization with Different Paths
Read more
SETTING UP SHROUDS WITH DEADEYES AND LANYARDS

SETTING UP SHROUDS WITH DEADEYES AND LANYARDS
Read more
Prepared in cooperation with the CITY OF PALO ALTO, CALIFORNIA

Prepared in cooperation with the CITY OF PALO ALTO, CALIFORNIA
Read more
Countries set minimum wages in different ways, and some countries set different wages for different groups of workers

Countries set minimum wages in different ways, and some countries set different wages for different groups of workers
Read more
PALO ALTO FIREWALL NAT

PALO ALTO FIREWALL NAT
Read more
Palo Alto Jazz Alliance

Palo Alto Jazz Alliance
Read more
Cisco ACS 5.X Integration with RSA SecurID Token Server

Cisco ACS 5.X Integration with RSA SecurID Token Server
Read more
TEACHING MATHEMATICS WITH A DIFFERENT PHILOSOPHY I

TEACHING MATHEMATICS WITH A DIFFERENT PHILOSOPHY I
Read more
Microscopy coexists with different biophysical techniques,

Microscopy coexists with different biophysical techniques,
Read more
Setting up a Gmail Account with Google+

Setting up a Gmail Account with Google+
Read more
how to deal with different cultures?

how to deal with different cultures?
Read more
epr blends with different rubber molecular architectures

epr blends with different rubber molecular architectures
Read more
Performance of Concrete Slabs with Different Reinforcing

Performance of Concrete Slabs with Different Reinforcing
Read more
Setting up (or) playing with Koha

Setting up (or) playing with Koha
Read more
AIDS Treatment Model with Different Stages

AIDS Treatment Model with Different Stages
Read more