Palo Alto Networks firewalls and Panorama support the following RADIUS Vendor-Specific Attributes (VSAs). To define VSAs on a RADIUS server, you must specify the vendor code (25461 for Palo Alto Networks firewalls or Panorama) and the VSA name and number. Some VSAs also require a value.
Name Number Value
VSAs for administrator account management and authentication
PaloAlto-Admin-Role 1 A default (dynamic) administrative role name or a custom administrative role name on the firewall.
PaloAlto-Admin-Access-Domain 2 The name of an access domain for firewall administrators (configured in the Device > Access Domains page). Define this VSA if the firewall has multiple virtual systems.
PaloAlto-Panorama-Admin-Role 3 A default (dynamic) administrative role name or a custom administrative role name on Panorama.
PaloAlto-Panorama-Admin-Access-Domain 4 The name of an access domain for Device Group and Template administrators (configured in the Panorama > Access Domains page).
PaloAlto-User-Group 5 The name of a user group that an authentication profile references.
VSAs forwarded from GlobalProtect clients to the RADIUS server
PaloAlto-User-Domain 6 Don’t specify a value when you define these VSAs.
PaloAlto-Client-Source-IP 7
PaloAlto-Client-OS 8
PaloAlto-Client-Hostname 9
PaloAlto-GlobalProtect-Client-Version 10

Related Documentation