Exam PCNSE topic 1 question 46 discussion

The answer should be C, D, and E https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-authentication

The administrative accounts are defined on an external SAML, TACACS+, or RADIUS server. The server performs both authentication and authorization. For authorization, you define Vendor-Specific Attributes (VSAs) on the TACACS+ or RADIUS server, or SAML attributes on the SAML server. PAN-OS maps the attributes to administrator roles, access domains, user groups, and virtual systems that you define on the firewall.

ldap is not matching questions.

C, D and E are correct

CDE are correct. With LDAP, you have to define the admin user locally otherwise there is no other way to assign a role to the user. With Radius, tacacs and saml the firewall can utilise the received VSAs or SAML attributes to map to the roles locally defined on the firewall.

The administrative accounts are defined on an external SAML, TACACS+, or RADIUS server. The server performs both authentication and authorization. For authorization, you define Vendor-Specific Attributes (VSAs) on the TACACS+ or RADIUS server, or SAML attributes on the SAML server. PAN-OS maps the attributes to administrator roles, access domains, user groups, and virtual systems that you define on the firewall. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-authentication

A,C.F is the correct answer

Without defining user only CDE

CDE are the correct answers.

LDAP is also an answer. I don't understand why NOT, CDEF should be correct. I did LDAP for admin users myself. correct me if I'm wrong. https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/authentication/configure-ldap-authentication

C-D-E https://origin-docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-administration/manage-firewall-administrators/configure-administrative-accounts-and-authentication/configure-local-or-external-authentication-for-firewall-administrators.html

"...without defining a corresponding admin account on the local firewall?" so what?! it talks about "authenticate" only! So that means we do not talk about "authorization" here (i.e. role mapping). When it comes to authentication only all of them could be used: ACDEF but.. is that what they wanna see here? more likely they wanna know which can be used without any need to create a local account at all (i.e even authorization) and that leads to: CDE according to: https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/manage-firewall-administrators/configure-administrative-accounts-and-authentication/configure-local-or-external-authentication-for-firewall-administrators.html#id7484db35-8218-421b-9847-eab796beea99 so most likely CDE is what they wanna see here - imho

RADIUS does not need an admin configured. VSAs (Vendor specific attributes) would be used. I log in as Jack, RADIUS sends back a success and a VSA value. If that value corresponds to read/write administrator, I get logged in as a superuser. There are VSAs for read only and user (Global protect access but not admin). I am unsure what other Auth methods can use VSA or a similar mechanisim. If admin users are configured with RADIUS, no need for VSA.

c, d, e https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-authentication.html

Correct answer is C, D and E, please !

The administrative accounts are defined on an external SAML, TACACS+, or RADIUS server. The server performs both authentication and authorization. For authorization, you define Vendor-Specific Attributes (VSAs) on the TACACS+ or RADIUS server, or SAML attributes on the SAML server. PAN-OS maps the attributes to administrator roles, access domains, user groups, and virtual systems that you define on the firewall. For details, see:

what is the right answer for the exam alone? ACF or CDE?