Terminal Access Controller Access-Control System Plus
(TACACS+) is a family of protocols that enable authentication and
authorization through a centralized server. TACACS+ encrypts usernames
and passwords, making it more secure than RADIUS, which encrypts
only passwords. TACACS+ is also more reliable because it uses TCP,
whereas RADIUS uses UDP. You can configure TACACS+ authentication
for end users or administrators on the firewall and for
administrators on Panorama. Optionally, you can use TACACS+
Vendor-Specific Attributes (VSAs) to manage administrator authorization.
TACACS+ VSAs enable you to quickly change the roles, access domains,
and user groups of administrators through your directory service
instead of reconfiguring settings on the firewall and Panorama.
The firewall and Panorama support the following TACACS+ attributes
and VSAs. Refer to your TACACS+ server documentation for the steps
to define these VSAs on the TACACS+ server.
Name
Value
service
This attribute is required to identify the
VSAs as specific to Palo Alto Networks. You must set the value to PaloAlto.
protocol
This attribute is required to identify the
VSAs as specific to Palo Alto Networks devices. You must set the value
to firewall.
PaloAlto-Admin-Role
A default (dynamic) administrative role
name or a custom administrative role name on the firewall.
PaloAlto-Admin-Access-Domain
The name of an access domain for firewall administrators
(configured in the DeviceAccess Domains page). Define this
VSA if the firewall has multiple virtual systems.
PaloAlto-Panorama-Admin-Role
A default (dynamic) administrative role
name or a custom administrative role name on Panorama.
PaloAlto-Panorama-Admin-Access-Domain
The name of an access domain for Device
Group and Template administrators (configured in the PanoramaAccess Domains page).
PaloAlto-User-Group
The name of a user group in the Allow List
of an authentication profile.
