Device > Server Profiles > RADIUS
to configure settings for the Remote Authentication Dial-In User Service (RADIUS) servers that authentication profiles reference (see Device > Authentication Profile). You can use RADIUS to authenticate end users who access your network resources (through GlobalProtect or Captive Portal), to authenticate administrators defined locally on the firewall or Panorama, and to authenticate and authorize administrators defined externally on the RADIUS server.
RADIUS Server Settings
Enter a name to identify the server profile (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Select the scope in which the profile is available. In the context of a firewall that has more than one virtual system (vsys), select a vsys or select
Shared(all virtual systems). In any other context, you can’t select the
Location; its value is predefined as Shared (
firewalls) or as Panorama. After you save the profile, you can’t change its
Administrator Use Only
Select this option to specify that only administrator accounts can use the profile for authentication. For firewalls that have multiple virtual systems, this option appears only if the
Enter an interval in seconds after which an authentication request times out (range is 1 to 120; default is 3).
If you use the RADIUS server profile to integrate the firewall with an MFA service, enter an interval that gives users enough time to respond to the authentication challenge. For example, if the MFA service prompts for a one-time password (OTP), users need time to see the OTP on their endpoint device and then enter the OTP in the MFA login page.
Authentication Protocolthat the firewall uses to secure a connection to the RADIUS server:
Allow users to change passwords after expiry
(PEAP-MSCHAPv2 with GlobalProtect 4.1 or later) Select this option to allow GlobalProtect users to change expired passwords.
Make Outer Identity Anonymous
(PEAP-MSCHAPv2, PEAP with GTC, or EAP-TTLS with PAP) This option is enabled by default to anonymize the user’s identity in the outer tunnel that the firewall creates after authenticating with the server.
Some RADIUS server configurations may not support anonymous outer IDs, and you may need to clear the option. When cleared, usernames are transmitted in cleartext.
(PEAP-MSCHAPv2, PEAP with GTC, or EAP-TTLS with PAP) Select or configure a Certificate Profile to associate with the RADIUS server profile. The firewall uses the Certificate Profileto authenticate with the RADIUS server.
Specify the number of times to retry after a timeout (range is 1 to 5; default is 3).
Configure information for each server in the preferred order.
Extensible Authentication Protocol (EAP) Support for RADIUS
RADIUS authentication supports PEAP-MSCHAPv2, PEAP with GTC, or EAP-TTLS with PAP for GlobalProtect & Captive Portal authentication & admin access to the firewall & Panorama. ...
Configure RADIUS Authentication
Configure RADIUS Authentication You can configure RADIUS authentication for end users and firewall or Panorama administrators. For administrators, you can use RADIUS to manage authorization ...
Authentication Changes in PAN-OS 8.1
PEAP-MSCHAPv2 is now the default Authentication Protocol for RADIUS in PAN-OS 8.1; the Auto option is deprecated. ...
Authentication Features Extensible Authentication Protocol (EAP) Support for RADIUS RADIUS authentication supports PEAP-MSCHAPv2, PEAP with GTC, or EAP-TTLS with PAP for GlobalProtect & Captive Portal ...
Set Up RADIUS or TACACS+ Authentication
Set Up RADIUS or TACACS+ Authentication RADIUS is a client/server protocol and software that enables remote access servers to communicate with a central server to ...
Upgrade/Downgrade Considerations The following table lists the new features that have upgrade or downgrade impacts. Make sure you understand all potential changes before you upgrade ...
Configure RADIUS Authentication for Panorama Administrators
Configure RADIUS Authentication for Panorama Administrators You can use a RADIUS server to authenticate administrative access to the Panorama web interface. You can also define ...
PAN-OS 8.1 provides new authentication features: Extensible Authentication Protocol (EAP) Support for RADIUS and Authentication Using Custom Certificates for WildFire™ and PAN-DB. ...
Authentication CLI and XML API Changes
CLI and XML API changes to authentication features in PAN-OS 8.1. ...