you predefine dynamic administrator roles on the server, use lower-case
to specify the role (for example, enter
To use a RADIUS
server for managing administrator accounts or collecting GlobalProtect
clients VSAs, you must define VSAs on the RADIUS server. For details,
see the list of supported RADIUS Vendor-Specific Attributes Support.
By default, when authenticating to the RADIUS
server, the firewall or Panorama first tries Challenge-Handshake
Authentication Protocol (CHAP) and falls back to Password Authentication
Protocol (PAP) under certain conditions. Optionally, you can override
this automatic protocol selection and configure the firewall or
Panorama to always use a specific protocol. For details, see Set CHAP or PAP Authentication for RADIUS Servers.
sending authentication requests to a RADIUS server, the firewall
and Panorama use the authentication profile name as the network
access server (NAS) identifier, even if the profile is assigned
to an authentication sequence for the service that initiates the
Add a RADIUS server profile.
the server profile.
For a firewall with more than one virtual system (vsys),
where the profile is available.
, enter an interval
in seconds after which an authentication request times out (range
is 1-30, default is 3).
Enter the number of automatic
before the request fails (range
is 1-5, default is 3).
For each RADIUS server, click
(to identify the server), server
IP address or FQDN (
(a key to encrypt passwords), and server
authentication requests (default is 1812).
If you use an FQDN address object to identify the
server and you subsequently change the address, you must commit
the change for the new server address to take effect.