Set Up RADIUS or TACACS+ Authentication
RADIUS is a client/server protocol and software that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize their access to the requested system or service. TACACS+ is a well-established authentication protocol common to UNIX networks that allows a remote access server to forward a user's logon password to an authentication server to determine whether access can be allowed to a given system.
- Create a server profile.The server profile identifies the external authentication service and instructs the firewall how to connect to that authentication service and access the authentication credentials for your users.
- Selectand select the type of profile (DeviceServer ProfilesRADIUSorTACACS+).
- ClickAddand enter a ProfileName, such as GP-User-Auth.
- If this profile is for a firewall with multiple virtual systems capability, select a virtual system orSharedas the Location where the profile is available.
- Configure the following Server Settings. These settings to all servers you include in the profile.
- Timeout (sec)—The number of seconds before a server connection request times out due to lack of response from the authentication server.
- Authentication Protocol—Select the protocol to use for connections to the authentication server. Choices areCHAP,PAP, orAuto.
- (RADIUS only)Retries—The number of times the firewall trys connecting to the authentication server before dropping the request.
- (TACACS+ only)Use single connection for all authenticationto allow all TACACS+ authentication requests to occur over a single TCP session rather than separate sessions for each request.
- ClickAddin the Servers section and then enter the necessary information for connecting to the authentication server, including the serverName, IP address or FQDN of theServer, andPort.
- Specify settings to enable the authentication service to authenticate the firewall. Enter the sharedSecretwhen adding the server entry.
- ClickOKto save the server profile.
- (Optional) Create an authentication profile.The authentication profile specifies the server profile for the portal or gateways to use when they authenticate users. On a portal or gateway, you can assign one or more authentication profiles in one or moreclient authenticationprofiles. For descriptions of how an authentication profile within a client authentication profile supports granular user authentication, see Configure a GlobalProtect Gateway and Set Up Access to the GlobalProtect Portal.
- SelectandDeviceAuthentication ProfileAdda new profile.
- Enter aNamefor the profile and then select the authenticationType(RADIUSorTACACS+).
- Select the RADIUS or TACACS+ authenticationServer Profile. that you created in 1 from the drop-down.
- (RADIUS only) EnableRetrieve user group from RADIUSif you want to include this information in the authentication profile.
- Specify the domain name and username format. The device combines theUser DomainandUsername Modifiervalues to modify the domain/username string that a user enters during login. The device uses the modified string for authentication and uses theUser Domainvalue for User-ID group mapping. Modifying user input is useful when the authentication service requires domain/username strings in a particular format and you don’t want to rely on users to correctly enter the domain. You can select from the following options:
If theUsername Modifierincludes the%USERDOMAIN%variable, theUser Domainvalue replaces any domain string that the user enters. If theUser Domainis blank, that means the device removes any user-entered domain string.
- To send only the unmodified user input, leave theUser Domainblank (the default) and set theUsername Modifierto the variable%USERINPUT%(the default).
- To prepend a domain to the user input, enter aUser Domainand set theUsername Modifierto%USERDOMAIN%\%USERINPUT%.
- To append a domain to the user input, enter aUser Domainand set theUsername Modifierto%USERINPUT%@%USERDOMAIN%.
- Select theAdvancedtab.
- In the Allow List,Addand then select the users and groups that are allowed to authenticate with this profile. Selecting the predefinedalloption allows every user to authenticate. By default, the list has no entries, which means no users can authenticate.
- Commit the configuration.ClickCommit.