topic Re: Login to firewall using external identity server in Network Access Control

Login to firewall using external identity server

Blackhawk1278 — Mon, 04 Apr 2022 12:56:13 GMT

Good morning,

I am attempting to setup our Palo Alto Firewalls to use certificate authentication by sending our login information to ISE using radius and having ISE lookup the identity in active directory as an external authentication source. I realize I can just setup out Palos to do LDAP with AD and perform authentication and authorization but our network security team would like to keep control of the authorization piece instead of relying on the server team to determine who and what kind of access people have to the firewalls. Is this something that will work? I see the connection to ISE over radius and that I can select an external authentication source for the account used in ISE but so far nothing is working.

Re: Login to firewall using external identity server

Charlie Moreton — Mon, 04 Apr 2022 20:49:34 GMT

Check out these articles. If you have Device Admin License and want to use TACACS+ to log into the Palo Alto firewall, then Palo Alto has the steps:

How to configure TACACS authentication against Cisco ISE

If you'd rather use RADIUS to login to the firewall, use this entry:

Configuring Palo Alto Administrator Authentication with Cisco ISE (Radius)

Re: Login to firewall using external identity server

Blackhawk1278 — Mon, 04 Apr 2022 21:02:48 GMT

I don't want to do either of these things. I want to send my credentials to ise using radius and for ise to authenticate those credentials against active directory.

Re: Login to firewall using external identity server

Charlie Moreton — Mon, 04 Apr 2022 22:15:22 GMT

The second link shows how to do this.

Else, use this:

Configure RADIUS Authentication

You'll have to add the firewall as a NAD in a Network Device Group. Then you can use that NDG as a condition for a Policy Set to authenticate to ISE. MS-CHAPv2 is the default protocol that Palo Alto Firewalls use for this.