Remote Authentication Dial-In User Service (RADIUS) is a broadly supported networking protocol that provides centralized authentication and authorization. You can configure RADIUS authentication for end users or administrators on the firewall and for administrators on Panorama. Optionally, you can use RADIUS Vendor-Specific Attributes (VSAs) to manage administrator authorization. RADIUS VSAs enable you to quickly change the roles, access domains, and user groups of administrators through your directory service instead of reconfiguring settings on the firewall and Panorama. You can also configure the firewall to use a RADIUS server for:
When sending authentication requests to a RADIUS server, the firewall and Panorama use the authentication profile name as the network access server (NAS) identifier, even if the profile is assigned to an authentication sequence for the service (such as administrative access to the web interface) that initiates the authentication process.
The firewall and Panorama support the following RADIUS VSAs. To define VSAs on a RADIUS server, you must specify the vendor code (25461 for Palo Alto Networks firewalls or Panorama) and the VSA name and number. Some VSAs also require a value. Refer to your RADIUS server documentation for the steps to define these VSAs.
When configuring the advanced vendor options on a Cisco Secure Access Control Server (ACS), you must set both the
Vendor Length Field Sizeand
Vendor Type Field Sizeto
1. Otherwise, authentication will fail.
A default (dynamic) administrative role name or a custom administrative role name on the firewall.
The name of an access domain for firewall administrators (configured in the
page). Define this VSA if the firewall has multiple virtual systems.
A default (dynamic) administrative role name or a custom administrative role name on Panorama.
The name of an access domain for Device Group and Template administrators (configured in the
The name of a user group that an authentication profile references.
Don’t specify a value when you define these VSAs.
TACACS+ Terminal Access Controller Access-Control System Plus (TACACS+) is a family of protocols that enable authentication and authorization through a centralized server. TACACS+ encrypts usernames ...
Configure RADIUS Authentication
Configure RADIUS Authentication You can configure RADIUS authentication for end users and firewall or Panorama administrators. For administrators, you can use RADIUS to manage authorization ...
Configure RADIUS Authentication for Panorama Administrators
Configure RADIUS Authentication for Panorama Administrators You can use a RADIUS server to authenticate administrative access to the Panorama web interface. You can also define ...
Enable Delivery of GlobalProtect Endpoint VSAs to a RADIUS ...
Enable Delivery of VSAs to a RADIUS Server When communicating with portals or gateways, GlobalProtect endpoints send information that includes the endpoint IP address, operating ...
Access Domains Access domains control administrative access to specific Device Groups and templates Overview of template and template stack configuration functionality. , and also control ...
Plan Your Authentication Deployment
Plan Your Authentication Deployment The following are key questions to consider before you implement an authentication solution for administrators who access the firewall and end ...
Device > Access Domain
Device > Access Domain Device > Access Domain Configure access domains to restrict administrator access to specific virtual systems on the firewall. The firewall supports ...
Configure TACACS+ Authentication for Panorama Administrator...
Configure TACACS+ Authentication for Panorama Administrators You can use a TACACS+ server to authenticate administrative access to the Panorama web interface. You can also define ...
Administrative Authentication You can configure the following types of authentication and authorization ( Administrative Roles and Access Domains ) for Panorama administrators: Authentication Method Authorization ...