>
    Enable Delivery of VSAs to a RADIUS Server
    Focus
    Download PDF
    Focus
    1. Home
    2. GlobalProtect
    3. Authentication
    4. Enable Delivery of VSAs to a RADIUS Server
    Download PDF
    GlobalProtect

    Enable Delivery of VSAs to a RADIUS Server

    Table of Contents
    End-of-Life (EoL)

    Enable Delivery of VSAs to a RADIUS Server

    When communicating with portals or gateways, GlobalProtect endpoints send information that includes the endpoint IP address, operating system (OS), hostname, user domain, and GlobalProtect app version. You can enable the firewall to send this information as Vendor-Specific Attributes (VSAs) to a RADIUS server during authentication (by default, the firewall does not send the VSAs). RADIUS administrators can then perform administrative tasks based on those VSAs. For example, RADIUS administrators might use the OS attribute to define a policy that mandates regular password authentication for Microsoft Windows users and one-time password (OTP) authentication for Google Android users.
    The following are prerequisites for this procedure:
    1. Log in to the firewall CLI.
    2. Enter the command for each VSA you want to send:
      username@hostname> set authentication radius-vsa-on client-source-ip 
username@hostname> set authentication radius-vsa-on client-os 
username@hostname> set authentication radius-vsa-on client-hostname 
username@hostname> set authentication radius-vsa-on user-domain 
username@hostname> set authentication radius-vsa-on client-gp-version
      If you later want to stop the firewall from sending particular VSAs, run the same commands but use the radius-vsa-off option instead of radius-vsa-on.

    © 2024 Palo Alto Networks, Inc. All rights reserved.