Set up RADIUS or TACACS+ authentication for GlobalProtect users by creating server
profiles, configuring server settings, and creating authentication profiles to authenticate
RADIUS is a client/server protocol and software
that enables remote access servers to communicate with a central
server to authenticate dial-in users and authorize their access
to the requested system or service. TACACS+ is a well-established
authentication protocol, common to UNIX networks, that allows a
remote access server to forward a user's login password to an authentication
server to determine whether access can be allowed to a given system.
a server profile.
The server profile identifies the external authentication
service and instructs the firewall how to connect to that authentication
service and access the authentication credentials for your users.
If this profile is for a firewall with multiple virtual
systems capability, select a virtual system or
where the profile is available.
Configure the following
of seconds before a server connection request times out due to lack
of response from the authentication server.
used to connect to the authentication server. Options include
EAP-TTLS with PAP
Authentication Protocol Microsoft Challenge Handshakie Authentication
Protocol version 2) as the authentication protocol, remote users
can change their RADIUS or Active Directory (AD) passwords through
the GlobalProtect app when their password expires or a RADIUS/AD
administrator requires a password change at the next login.
number of times the firewall attempts to connect to the authentication
server before dropping the request.
Use single connection
for all authentication
—Option that allows all TACACS+
authentication requests to occur over a single TCP session rather
than separate sessions for each request.
and then enter the following information for connecting to the authentication
address or FQDN of the server)
(shared secret that enables
the authentication service to authenticate the firewall)
to save the server
) Create an authentication profile.
The authentication profile specifies the server profile
that the portal or gateways use when they authenticate users. On
a portal or gateway, you can assign one or more authentication profiles
in one or more client authentication profiles. For information on
how an authentication profile within a client authentication profile
supports granular user authentication, see Configure
a GlobalProtect Gateway and Set
Up Access to the GlobalProtect Portal.
if you want to include this information
in the authentication profile.
. The endpoint combines these values to modify
the domain/username string that a user enters during login. The
endpoint uses the modified string for authentication and the
value for User-ID group mapping. Modifying user
inputs is useful when the authentication service requires domain/username
strings in a particular format and but you do not want to rely on
users entering the domain correctly. You can select from the following
To send the unmodified user input, leave the
blank (the default) and set the
To prepend a domain to the user input, enter a
and set the
To append a domain to the user input, enter a
and set the
value replaces any domain
string that the user enters. If the
blank, the device removes any user-entered domain string.
to select the users and user groups that are allowed
to authenticate with this profile. The
allows every user to authenticate with this profile. By default,
the list has no entries, which means no users can authenticate.