Define An Access Domain; Create An Authentication Profile - PaloAlto Networks Panorama 6.1 Administrator's Manual

Set Up Panorama
Create an Administrative Account: Local Account/Authentication (Continued)
Step 3 Create an account for each
administrator.
Step 4 Save the configuration changes.
Define an Access Domain
An access domain provides a way to limit administrative access to specified device groups (to manage policies
and objects) and templates (to manage network and device settings), and the ability to switch context to the
web interface on the managed firewalls. Access domain settings are only relevant if:
A custom Admin Role profile with a

A RADIUS server is used for administrator authentication. The access domain is linked to RADIUS

vendor‐specific attributes (VSAs). On the RADIUS server, a VSA attribute number and value is defined
for each administrative user. The value defined must match the access domain configured on Panorama.
When an administrator attempts to log in Panorama, Panorama queries the RADIUS server for the
administrator's access domain and attribute number. Based on the response from the RADIUS server, the
administrator is authorized for access and is restricted to the firewalls/virtual systems, device groups and
templates specified in the access domain. For details on the supported RADIUS VSAs, see Use RADIUS
Vendor‐Specific Attributes for Account Authentication.
Define an Access Domain
Step 1 Create an access domain.
Step 2 Specify the device groups, templates and
firewall contexts that the user can
administer.
Step 3 Save the configuration changes.
Create an Authentication Profile
An authentication profile specifies the authentication service that validates the administrator's credentials
and defines how to access that authentication service. Panorama can be configured to access the local
database, a RADIUS server, Kerberos server, or an LDAP server.
© Palo Alto Networks, Inc.
1. Select Panorama > Administrators and then click Add.
2. Enter a user Name and Password for the administrator.
3. Select the Role to assign to this administrator. Select a
predefined Dynamic role or a custom role‐based profile as
defined in Step
4. (Optional) Select the Authentication Profile to use for
validating an administrative user's credentials to an external
authentication server. See Create an Authentication Profile.
5. (Optional) Select a Password
6. Click OK to save the account.
Click Commit, and select Panorama in the Commit Type option.
Device Group and Template
1. Select Panorama > Access Domain and then click Add.
2. Enter a user Name to identify the domain.
In the Device Groups, Templates, and Device Context tabs, click
Add and pick from the filtered list or drop‐down that displays.
Click Commit, and select Panorama in the Commit Type option.
Set Up Administrative Access to Panorama
1.
Profile. See Step
role is defined.
Panorama 6.1 Administrator's Guide • 75
2.