I Googled for a pre-built RADIUS dictionary to add to RSA Auth Manager in vain, so if I can save someone else twenty minutes:
This is a mash up of the results of following, https://community.rsa.com/docs/DOC-46893, with the contents of https://live.paloaltonetworks.com/t5/Tech-Note-Articles/RADIUS-Dictionary/ta-p/53745
You need to SSH to the Authentication Manager server, cd to /opt/rsa/am/radius
(You can also do it from file access in the Operations Console, and you need to do it on replicas too)
Then edit vendor.ini to add:
vendor-product = Palo Alto Networks
This is a mash up of the results of following, https://community.rsa.com/docs/DOC-46893, with the contents of https://live.paloaltonetworks.com/t5/Tech-Note-Articles/RADIUS-Dictionary/ta-p/53745
You need to SSH to the Authentication Manager server, cd to /opt/rsa/am/radius
(You can also do it from file access in the Operations Console, and you need to do it on replicas too)
Then edit vendor.ini to add:
vendor-product = Palo Alto Networks
dictionary = paloalto
ignore-ports = no
port-number-usage = per-port-type
help-id = 2000
Then to dictiona.dcm add:
@paloalto.dct
And create paloalto.dct with contents:
@radius.dct
MACRO PaloAlto(t,s) 26[vid=25461 type1=%t% len1=+2 data=%s%]
ATTRIBUTE PaloAlto-Admin-Role paloalto(1,string) r
# PaloAlto-Admin-Role is the name of the role for the user
# it can be the name of a custom Admin role profile configured on the
# PAN device or one of the following predefined roles
# superuser : Superuser
# superreader : Superuser (read-only)
# deviceadmin : Device administrator
# devicereader : Device administrator (read-only)
# vsysadmin : Virtual system administrator
# vsysreader : Virtual system administrator (read-only)
ATTRIBUTE PaloAlto-Admin-Access-Domain paloalto(2,string) r
# PaloAlto-Admin-Access-Domain is the name of the access domain object defined
# on the PAN device
ATTRIBUTE PaloAlto-Panorama-Admin-Role paloalto(3,string) r
# PaloAlto-Panorama-Admin-Role is the name of the role for the user
# it can be the name of a custom Admin role profile configured on the
# Panorama server or one of the following predefined roles
# superuser : Superuser
# superreader : Superuser (read-only)
# panorama-admin : Panorama administrator
ATTRIBUTE PaloAlto-Panorama-Admin-Access-Domain paloalto(4,string) r
# PaloAlto-Panorama-Admin-Access-Domain is the name of the access domain
# object defined on the Panorama server
ATTRIBUTE PaloAlto-User-Group paloalto(5,string) r
# PaloAlto-User-Group is the name of the group of users
ATTRIBUTE PaloAlto-User-Domain paloalto(6,string) r
# PaloAlto-User-Domain is the name of the user domain
ATTRIBUTE PaloAlto-Client-Source-IP paloalto(7,string) r
# PaloAlto-Client-Source-IP is the source IP address of the computer
# on which GlobalProtect client is used to log in
ATTRIBUTE PaloAlto-Client-OS paloalto(8,string) r
# PaloAlto-Client-OS is the operating system (OS) of the computer
# on which GlobalProtect client is used to log in
ATTRIBUTE PaloAlto-Client-Hostname paloalto(9,string) r
# PaloAlto-Client-Hostname is the hostname of the computer
# on which the user logs in
ATTRIBUTE PaloAlto-GlobalProtect-Client-Version paloalto(10,string) r
# PaloAlto-GlobalProtect-Client-Version is the version of GlobalProtect
# client which is used to log in
Then once you've restarted the RADIUS server, Palo Alto will appear in the list of RADIUS server client types you can select. Then in the RADIUS profiles you will have a bunch of Palo Alto return attributes.
To make groups work you still need an LDAP somewhere for the firewall to pull the groups from, then you can have a return code like 'cn=admin group,ou=org groups,ou=groups,dc=orgname,dc=com'
To make groups work you still need an LDAP somewhere for the firewall to pull the groups from, then you can have a return code like 'cn=admin group,ou=org groups,ou=groups,dc=orgname,dc=com'
