Access Domains; Administrative Authentication - PaloAlto Networks Panorama 6.1 Administrator's Manual

Role‐Based Access Control
Access Domains
An access domain defines the features and permissions accorded to an administrative user, enabling granular
control over the administrative user's ability to switch context and access the features on the user interface
of the managed firewalls. Access domains can also limit access to a subset of the device groups and/or
templates created on Panorama and therefore restrict the user's ability to configure and manage firewalls.
The access domain is linked to RADIUS vendor‐specific attributes (VSAs) and is supported only if a RADIUS
server is used for administrator authentication. If RADIUS is not used, the access domain settings are
ignored. For information on defining an access domain, see Define an Access Domain.
Administrative Authentication
There are four ways to authenticate administrative users:
Local administrator account with local authentication—Both the administrator account credentials and

the authentication mechanisms are local to the firewall. To further secure the local administrator account,
create a password profile that defines a validity period for passwords and/or set firewall‐wide password
complexity settings. For more information, see Create an Administrative Account.
Local administrator account with certificate‐ or key‐based authentication—With this option, the

administrator accounts are local to the firewall, but authentication is based on SSH keys (for CLI access)
or client certificates/common access cards (for the web interface). For details on how to configure this
type of administrative access, see Enable Certificate‐Based Authentication for the Web Interface and
Enable SSH Key‐Based Authentication for the CLI.
Local administrator account with external authentication—The administrator accounts are managed on

the local firewall, but the authentication functions are offloaded to an existing LDAP, Kerberos, or
RADIUS service. To configure this type of account, you must first create an authentication profile that
defines how to access the external authentication service and then create an account for each
administrator that references the profile. For more information, see Create an Authentication Profile.
External administrator account and authentication—Account administration and authentication are

handled by an external RADIUS server. To use this option, you must define Vendor Specific Attributes
(VSAs) on your RADIUS server that map to the admin role. For a high‐level overview of the process, see
Use RADIUS Vendor‐Specific Attributes for Account Authentication. For details on how to configure this
type of administrative access, refer to the Radius Vendor Specific Attributes (VSA) article.
24 • Panorama 6.1 Administrator's Guide
Panorama Overview
© Palo Alto Networks, Inc.