Setting

Up Cisco ACS 5.2 for use with

Palo Alto with different groups and
different roles.
The assumption is that you already know how to configure the Palo Alto Device for use with Radius,
and that you know how to configure different admin roles etc. If not, please refer to the palo alto
manual PaloAltoRadiusVSA.pdf

1. Configuring Radius Dictionaries (Palo Alto VSA)

Log in to your ACS and open the menu System Administration -> Configuration -> Dictionaries ->
Protocols -> Radius -> Radius VSA

Normally there is no Palo Alto Vender Specific Dictionary Present and youll have to create it. So
Press Create:

Chris Camp (chris.camp@nv-expression.be)

1

And Fill in ass above, press submit.

After submitting youll be able to go to the submenu PaloAlto (in the Radius VSA menu): System
Administration -> Configuration -> Dictionaries -> Protocols -> Radius -> Radius VSA -> PaloAlto

Here youll have to create the 5 different attributes as above.

Now you have your dictionary ready and youll have to use it in your Policy.

2. Configuring Authorization Profiles

The first thing well have to do is to create a new authorization Profile, where we can implement our
VSA for use.
Chris Camp (chris.camp@nv-expression.be)
2

In this example, we will configure 2 different ones, because we use 2 roles on our device (panorama),
one admin role, and one read-only role, which we will call GIO.
In the example below we only use one of the 5 Palo Alto Attributes (Palo Alto Panorama Admin Role),
but if necessary you can use other or more attributes as you need them.
So basicly we have 2 roles, the default admin role, and a self created role called GIO:

We will need to create two different authorization profiles (which is logical because we have two
different roles with different authorizations).
In ACS 5.2 go to: Policy Elements -> Authorization and Permissions -> Network Access ->
Authorization Profiles

You normally already have at least the default Permit Access profile. Press Create to create a new
one. Or select the Permit Access, and press duplicate:

Chris Camp (chris.camp@nv-expression.be)

3

Change the name and the description.

Go to the tab RADIUS Attributes

Select Dictionary Type: Radius Palo Alto

Chris Camp (chris.camp@nv-expression.be)
4

Select the needed Radius Attribute (in our case Panorama Admin Role)
And fill in the name of your role you created on the panorama device (in the above example we used
the default admins role, in the screenshot below you see the custom created GIO role).
Press Add, and Submit
Do the same for your 2nd role:

3. Creating Policies
Now youll have to learn your ACS when he will have to use this custom created Authorization
Profile. This is what happens in the Access Policy, here the ACS knows which profile to select and
which action to take.
This is very dependent of your network, which protocols and devices you use. There are many
different ways to configure this. So it is possible that in your setup youll have to do it differently,
however, with this example you might gain some insight in how ACS 5.2 works. In the example below
we have both have tacacs and radius present, however the setup is still very simple.
First step is to go to Access Policies -> Access Services -> Service Selection Rules
Here you create a policy to help the acs decide which access service to use. In our example we just
use two (which are the default, but you can also create custom ones if needed), the default device
admin, and the default network admin.

Chris Camp (chris.camp@nv-expression.be)

5

As you can see we created two simple rules, one directing all tacacs request to the Default Device
admin service, and one directing all radius traffic to the default network admin.
By pressing Customize (below lift) you can choose which fields to use in the conditions column. As
you can see in the example we only use the condition Protocol:

If you press create you will be able to configure your own service selection policy:

Chris Camp (chris.camp@nv-expression.be)

6

After configuring the Service Selection Rules, Go to the selected group in your rule (in our case, this is
the Default Network Admin). In the menu: Access Policies -> Access Services -> Default Network
Admin -> Authorization

Chris Camp (chris.camp@nv-expression.be)

7

Here again you have the customize button where you can specify which conditions you want to
select in your policy. In our example we use device ip-adress and we also have to use identity group,
because we want different roles for different groups.

And then off course, you create an authorization policy:

Chris Camp (chris.camp@nv-expression.be)

8

And the second one, with another identity group and another authorization profile:

Chris Camp (chris.camp@nv-expression.be)

9

Press Save Changes and youre ready to go.

Chris Camp (chris.camp@nv-expression.be)

10