End-of-Life (EoL)

Configure a RADIUS Server Profile

You can configure the firewall or Panorama to use a RADIUS server for managing administrator accounts. You can also configure the firewall to use a RADIUS server for authenticating end users and collecting RADIUS Vendor-Specific Attributes (VSAs) from GlobalProtect clients.
When you predefine dynamic administrator roles on the server, use lower-case to specify the role (for example, enter
superuser
, not
SuperUser
).
To use a RADIUS server for managing administrator accounts or collecting GlobalProtect clients VSAs, you must define VSAs on the RADIUS server. For details, see the list of supported RADIUS Vendor-Specific Attributes Support.
By default, when authenticating to the RADIUS server, the firewall or Panorama first tries Challenge-Handshake Authentication Protocol (CHAP) and falls back to Password Authentication Protocol (PAP) under certain conditions. Optionally, you can override this automatic protocol selection and configure the firewall or Panorama to always use a specific protocol. For details, see Set CHAP or PAP Authentication for RADIUS Servers.
When sending authentication requests to a RADIUS server, the firewall and Panorama use the authentication profile name as the network access server (NAS) identifier, even if the profile is assigned to an authentication sequence for the service that initiates the authentication process.
  1. Add a RADIUS server profile.
    1. Select
      Device
      Server Profiles
      RADIUS
      and click
      Add
      .
    2. Enter a
      Profile Name
      to identify the server profile.
    3. For a firewall with more than one virtual system (vsys), select the
      Location
      (vsys or
      Shared
      ) where the profile is available.
    4. For the
      Timeout
      , enter an interval in seconds after which an authentication request times out (range is 1-30, default is 3).
    5. Enter the number of automatic
      Retries
      following a
      Timeout
      before the request fails (range is 1-5, default is 3).
    6. For each RADIUS server, click
      Add
      and enter a
      Name
      (to identify the server), server IP address or FQDN (
      RADIUS Server
      field),
      Secret
      /
      Confirm Secret
      (a key to encrypt passwords), and server
      Port
      for authentication requests (default is 1812).
      If you use an FQDN address object to identify the server and you subsequently change the address, you must commit the change for the new server address to take effect.
    7. Click
      OK
      .
  2. Implement the RADIUS server profile.
    1. Assign the RADIUS server profile to an authentication profile or sequence.
    2. Test a RADIUS Authentication Profile to verify that the firewall or Panorama can connect to the RADIUS server.
    3. Commit
      your changes.

Recommended For You