Device > Server Profiles > RADIUS

Select DeviceServer ProfilesRADIUS or PanoramaServer ProfilesRADIUS to configure settings TechDocs_logo_cropped.png for the Remote Authentication Dial-In User Service (RADIUS) servers that authentication profiles reference (see Device > Authentication Profile). You can use RADIUS to authenticate end users who access your network resources (through GlobalProtect or Captive Portal), to authenticate administrators defined locally on the firewall or Panorama, and to authenticate and authorize administrators defined externally on the RADIUS server.
RADIUS Server Settings
Description
Profile Name
Enter a name to identify the server profile (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Location
Select the scope in which the profile is available. In the context of a firewall that has more than one virtual system (vsys), select a vsys or select Shared (all virtual systems). In any other context, you can’t select the Location; its value is predefined as Shared (firewalls) or as Panorama. After you save the profile, you can’t change its Location.
Administrator Use Only
Select this option to specify that only administrator accounts can use the profile for authentication. For firewalls that have multiple virtual systems, this option appears only if the Location is Shared.
Timeout
Enter an interval in seconds after which an authentication request times out (range is 1 to 120; default is 3).
If you use the RADIUS server profile to integrate the firewall with an MFA service, enter an interval that gives users enough time to respond to the authentication challenge. For example, if the MFA service prompts for a one-time password (OTP), users need time to see the OTP on their endpoint device and then enter the OTP in the MFA login page.
Authentication Protocol
Select the Authentication Protocol that the firewall uses to secure a connection to the RADIUS server:
  • CHAP—Challenge-Handshake Authentication Protocol (CHAP) is the default and preferred protocol because it is more secure than PAP.
  • PAP—Select Password Authentication Protocol (PAP) if the RADIUS server does not support CHAP or is not configured for it.
  • Auto—The firewall first tries to authenticate using CHAP. If the RADIUS server doesn’t respond, the firewall falls back to PAP.
Retries
Enter the number of automatic retries following a timeout before the request fails (range is 1 to 5; default is 3).
Servers
Configure information for each server in the preferred order.
  • Name—Enter a name to identify the server.
  • RADIUS Server—Enter the server IP address or FQDN.
  • Secret/Confirm Secret—Enter and confirm a key to verify and encrypt the connection between the firewall and the RADIUS server.
  • Port—Enter the server port (range is 1 to 65,535; default is 1812) for authentication requests.

Related Documentation