The following procedure provides an overview of the tasks required to use RADIUS Vendor-Specific Attributes (VSAs) for administrator authentication to Palo Alto Networks firewalls. For detailed instructions, refer to the following Knowledge Base articles:
Create the administrative accounts in the directory service that your network uses (for example, Active Directory).
Set up a RADIUS server that can communicate with that directory service.
Use RADIUS Vendor-Specific Attributes for Account Authentication
Configure the firewall.
Configure an Admin Role Profile if the administrator will use a custom role.
Configure an access domain if the firewall has more than one virtual system (vsys):
Device > Access Domain,
an access domain, and enter a
to identify the access domain.
each vsys that the administrator will access, and then click
Configure a RADIUS Server Profile.Configure an authentication profile. Set the authentication
and assign the RADIUS
Configure the firewall to use the authentication profile for administrator access—Select
Device > Setup > Management, edit the Authentication Settings, and select the
Configure the RADIUS server.
Add the firewall IP address or hostname as the RADIUS client.
Define the VSAs for administrator authentication. You must specify the vendor code (25461 for Palo Alto Networks firewalls) and the VSA name, number, and value: see
RADIUS Vendor-Specific Attributes Support.
When configuring the advanced vendor options on a Cisco ACS, you must set both the
Vendor Length Field Size
Vendor Type Field Size
. Otherwise, authentication will fail.
Configure RADIUS Vendor-Specific Attributes for Administrator Authentication
Configure RADIUS Vendor-Specific Attributes for Administrator Authentication The following procedure provides an overview of the tasks required to configure RADIUS Vendor-Specific Attributes (VSAs) for administrator ...
Configure a RADIUS Server Profile
Configure a RADIUS Server Profile You can configure the firewall or Panorama to use a RADIUS server for managing administrator accounts. You can also configure ...
RADIUS Vendor-Specific Attributes Support
RADIUS Vendor-Specific Attributes Support Palo Alto Networks firewalls and Panorama support the following RADIUS Vendor-Specific Attributes (VSAs). To define VSAs on a RADIUS server, you ...
Configure Authentication Server Profiles
Configure Authentication Server Profiles Configure a RADIUS Server Profile Set CHAP or PAP Authentication for RADIUS Servers RADIUS Vendor-Specific Attributes Support Configure a TACACS+ Server ...
Enable Delivery of GlobalProtect Client VSAs to a RADIUS Se...
Enable Delivery of GlobalProtect Client VSAs to a RADIUS Server When communicating with GlobalProtect portals or gateways, GlobalProtect clients send information that includes the client ...
Role-Based Access Control Role-based access control (RBAC) enables you to define the privileges and responsibilities of administrative users (administrators). Every administrator must have a user ...
Administrative Authentication You can configure the following types of administrator authentication: Account Type Authentication Method Description Local Local (no database) The administrator account credentials and ...
Authentication Many of the services that Palo Alto Networks firewalls and Panorama provide require authentication, including administrator access to the web interface and end user ...
Configure Administrative Accounts and Authentication
Configure Administrative Accounts and Authentication If you have already configured Administrative Roles , external authentication services (if applicable), and Access Domains (for Device Group and ...