to configure settings
for the Remote Authentication Dial-In
User Service (RADIUS) servers that authentication profiles reference
> Authentication Profile). You can use RADIUS to authenticate
end users who access your network resources (through GlobalProtect
or Captive Portal), to authenticate administrators defined locally
on the firewall or Panorama, and to authenticate and authorize administrators
defined externally on the RADIUS server.
RADIUS Server Settings
Enter a name to identify the server profile
(up to 31 characters). The name is case-sensitive and must be unique.
Use only letters, numbers, spaces, hyphens, and underscores.
Select the scope in which the profile is
available. In the context of a firewall that has more than one virtual
system (vsys), select a vsys or select
virtual systems). In any other context, you can’t select the
its value is predefined as Shared (
) or as Panorama.
After you save the profile, you can’t change its
Administrator Use Only
Select this option to specify that only
administrator accounts can use the profile for authentication. For
firewalls that have multiple virtual systems, this option appears
only if the
Enter an interval in seconds after which
an authentication request times out (range is 1 to 120; default
If you use the RADIUS server
profile to integrate the firewall with an MFA service, enter an
interval that gives users enough time to respond to the authentication
challenge. For example, if the MFA service prompts for a one-time
password (OTP), users need time to see the OTP on their endpoint
device and then enter the OTP in the MFA login page.
the firewall uses to secure a connection to the RADIUS server:
Protocol (CHAP) is the default and preferred protocol because it
is more secure than PAP.
—Select Password Authentication
Protocol (PAP) if the RADIUS server does not support CHAP or is
not configured for it.
—The firewall first tries to authenticate
using CHAP. If the RADIUS server doesn’t respond, the firewall falls
back to PAP.
Enter the number of automatic retries following
a timeout before the request fails (range is 1 to 5; default is
Configure information for each server in
the preferred order.
a name to identify the server.
—Enter the server IP
address or FQDN.
—Enter and confirm
a key to verify and encrypt the connection between the firewall
and the RADIUS server.
—Enter the server port (range
is 1 to 65,535; default is 1812) for authentication requests.