The following procedure provides an overview of the tasks required to use RADIUS Vendor-Specific Attributes (VSAs) for administrator authentication to Palo Alto Networks firewalls. For detailed instructions, refer to the following Knowledge Base articles:
For Windows 2003 Server, Windows 2008 (and later), and Cisco ACS 4.0— RADIUS Vendor-Specific Attributes (VSAs) For Cisco ACS 5.2— Configuring Cisco ACS 5.2 for use with Palo Alto VSA
Before starting this procedure, you must:
Create the administrative accounts in the directory service that your network uses (for example, Active Directory). Set up a RADIUS server that can communicate with that directory service.
Use RADIUS Vendor-Specific Attributes for Account Authentication
Configure the firewall. Configure an Admin Role Profile if the administrator will use a custom role. Configure an access domain if the firewall has more than one virtual system (vsys): Select Device > Access Domain, Add an access domain, and enter a Name to identify the access domain. Add each vsys that the administrator will access, and then click OK. Configure a RADIUS Server Profile. Configure an authentication profile. Set the authentication Type to RADIUS and assign the RADIUS Server Profile. Configure the firewall to use the authentication profile for administrator access—Select Device > Setup > Management, edit the Authentication Settings, and select the Authentication Profile. Click OK and Commit.
Configure the RADIUS server. Add the firewall IP address or hostname as the RADIUS client. Define the VSAs for administrator authentication. You must specify the vendor code (25461 for Palo Alto Networks firewalls) and the VSA name, number, and value: see RADIUS Vendor-Specific Attributes Support. When configuring the advanced vendor options on a Cisco ACS, you must set both the Vendor Length Field Size and Vendor Type Field Size to 1 . Otherwise, authentication will fail.

Related Documentation