RADIUS Vendor-Specific Attributes Support

Palo Alto Networks firewalls and Panorama support the following RADIUS Vendor-Specific Attributes (VSAs). To define VSAs on a RADIUS server, you must specify the vendor code (25461 for Palo Alto Networks firewalls or Panorama) and the VSA name and number. Some VSAs also require a value.
Name
Number
Value
PaloAlto-Admin-Role
1
A default (dynamic) administrative role name or a custom administrative role name on the firewall.
PaloAlto-Admin-Access-Domain
2
The name of an access domain for firewall administrators (configured in the
Device
Access Domains
page). Define this VSA if the firewall has multiple virtual systems.
PaloAlto-Panorama-Admin-Role
3
A default (dynamic) administrative role name or a custom administrative role name on Panorama.
PaloAlto-Panorama-Admin-Access-Domain
4
The name of an access domain for Device Group and Template administrators (configured in the
Panorama
Access Domains
page).
PaloAlto-User-Group
5
The name of a user group that an authentication profile references.
PaloAlto-User-Domain
6
Don’t specify a value when you define these VSAs.
PaloAlto-Client-Source-IP
7
PaloAlto-Client-OS
8
PaloAlto-Client-Hostname
9
PaloAlto-GlobalProtect-Client-Version
10

Related Documentation