Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1503
Views
0
Helpful
3
Replies

Login to firewall using external identity server

Go to solution
Blackhawk1278
Level 1
Level 1

‎04-04-2022 05:56 AM

Good morning,

I am attempting to setup our Palo Alto Firewalls to use certificate authentication by sending our login information to ISE using radius and having ISE lookup the identity in active directory as an external authentication source.  I realize I can just setup out Palos to do LDAP with AD and perform authentication and authorization but our network security team would like to keep control of the authorization piece instead of relying on the server team to determine who and what kind of access people have to the firewalls.  Is this something that will work?  I see the connection to ISE over radius and that I can select an external authentication source for the account used in ISE but so far nothing is working.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee
In response to Blackhawk1278

‎04-04-2022 03:10 PM - edited ‎04-04-2022 03:15 PM

The second link shows how to do this.

 

Else, use this:

Configure RADIUS Authentication

 

You'll have to add the firewall as a NAD in a Network Device Group.  Then you can use that NDG as a condition for a Policy Set to authenticate to ISE.  MS-CHAPv2 is the default protocol that Palo Alto Firewalls use for this.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee

‎04-04-2022 01:49 PM

Check out these articles.  If you have Device Admin License and want to use TACACS+ to log into the Palo Alto firewall, then Palo Alto has the steps:

How to configure TACACS authentication against Cisco ISE

 

If you'd rather use RADIUS to login to the firewall, use this entry:

Configuring Palo Alto Administrator Authentication with Cisco ISE (Radius)

 

0 Helpful

Go to solution
Blackhawk1278
Level 1
Level 1
In response to Charlie Moreton

‎04-04-2022 02:02 PM

I don't want to do either of these things.  I want to send my credentials to ise using radius and for ise to authenticate those credentials against active directory.

0 Helpful

Go to solution
Charlie Moreton
Cisco Employee
Cisco Employee
In response to Blackhawk1278

‎04-04-2022 03:10 PM - edited ‎04-04-2022 03:15 PM

The second link shows how to do this.

 

Else, use this:

Configure RADIUS Authentication

 

You'll have to add the firewall as a NAD in a Network Device Group.  Then you can use that NDG as a condition for a Policy Set to authenticate to ISE.  MS-CHAPv2 is the default protocol that Palo Alto Firewalls use for this.

0 Helpful
Customers Also Viewed These Support Documents