Enable Delivery of GlobalProtect Client VSAs to a RADIUS Server

When communicating with GlobalProtect portals or gateways, GlobalProtect clients send information that includes the client IP address, operating system (OS), hostname, user domain, and GlobalProtect agent/app version. You can enable the firewall to send this information as Vendor-Specific Attributes (VSAs) to a RADIUS server during authentication (by default, the firewall does not send the VSAs). RADIUS administrators can then perform administrative tasks based on those VSAs. For example, RADIUS administrators might use the client OS attribute to define a policy that mandates regular password authentication for Microsoft Windows users and one-time password (OTP) authentication for Google Android users.
The following are prerequisites for this procedure:
  1. Log in to the firewall CLI.
  2. Enter the command for each VSA you want to send.
    username@hostname>
    set authentication radius-vsa-on client-source-ip
    username@hostname>
    set authentication radius-vsa-on client-os
    username@hostname>
    set authentication radius-vsa-on client-hostname
    username@hostname>
    set authentication radius-vsa-on user-domain
    username@hostname>
    set authentication radius-vsa-on client-gp-version
    Code copied to clipboard
    Unable to copy due to lack of browser support.
    If you later want to stop the firewall from sending particular VSAs, run the same commands but use the
    radius-vsa-off
    option instead of
    radius-vsa-on
    .

Related Documentation