Device > Server Profiles > RADIUS
Select DeviceServer ProfilesRADIUS or PanoramaServer ProfilesRADIUS to configure settings for the Remote Authentication Dial-In User Service (RADIUS) servers that authentication profiles reference (see Device > Authentication Profile). You can use RADIUS to authenticate end users who access your network resources (through GlobalProtect or Captive Portal), to authenticate administrators defined locally on the firewall or Panorama, and to authenticate and authorize administrators defined externally on the RADIUS server.
RADIUS Server Settings
Enter a name to identify the server profile (up to 31 characters). The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Select the scope in which the profile is available. In the context of a firewall that has more than one virtual system (vsys), select a vsys or select Shared (all virtual systems). In any other context, you can’t select the Location; its value is predefined as Shared (firewalls) or as Panorama. After you save the profile, you can’t change its Location.
Administrator Use Only
Select this option to specify that only administrator accounts can use the profile for authentication. For firewalls that have multiple virtual systems, this option appears only if the Location is Shared.
Enter an interval in seconds after which an authentication request times out (range is 1 to 120; default is 3).
If you use the RADIUS server profile to integrate the firewall with an MFA service, enter an interval that gives users enough time to respond to the authentication challenge. For example, if the MFA service prompts for a one-time password (OTP), users need time to see the OTP on their endpoint device and then enter the OTP in the MFA login page.
Select the Authentication Protocol that the firewall uses to secure a connection to the RADIUS server:
Allow users to change passwords after expiry
(PEAP-MSCHAPv2 with GlobalProtect 4.1 or later) Select this option to allow GlobalProtect users to change expired passwords.
Make Outer Identity Anonymous
(PEAP-MSCHAPv2, PEAP with GTC, or EAP-TTLS with PAP) This option is enabled by default to anonymize the user’s identity in the outer tunnel that the firewall creates after authenticating with the server.
Some RADIUS server configurations may not support anonymous outer IDs, and you may need to clear the option. When cleared, usernames are transmitted in cleartext.
(PEAP-MSCHAPv2, PEAP with GTC, or EAP-TTLS with PAP) Select or configure a Certificate Profile to associate with the RADIUS server profile. The firewall uses the Certificate Profileto authenticate with the RADIUS server.
Specify the number of times to retry after a timeout (range is 1 to 5; default is 3).
Configure information for each server in the preferred order.
Configure RADIUS Authentication
Configure RADIUS Authentication You can configure RADIUS authentication for end users and firewall or Panorama administrators. For administrators, you can use RADIUS to manage authorization ...
Configure RADIUS Authentication for Panorama Administrators
Configure RADIUS Authentication for Panorama Administrators You can use a RADIUS server to authenticate administrative access to the Panorama web interface. You can also define ...
Set Up RADIUS or TACACS+ Authentication
Set Up RADIUS or TACACS+ Authentication RADIUS is a client/server protocol and software that enables remote access servers to communicate with a central server to ...
RADIUS Remote Authentication Dial-In User Service (RADIUS) is a broadly supported networking protocol that provides centralized authentication and authorization. You can configure RADIUS authentication for ...
Enable Delivery of GlobalProtect Endpoint VSAs to a RADIUS ...
Enable Delivery of VSAs to a RADIUS Server When communicating with portals or gateways, GlobalProtect endpoints send information that includes the endpoint IP address, operating ...
Configure an Authentication Profile and Sequence
Configure an Authentication Profile and Sequence An authentication profile defines the authentication service that validates the login credentials of administrators who access the firewall web ...
Configure Local or External Authentication for Firewall Adm...
Configure Local or External Authentication for Firewall Administrators You can use Local Authentication and External Authentication Services to authenticate administrators who access the firewall. These ...
Configure Multi-Factor Authentication
Configure Multi-Factor Authentication To use Multi-Factor Authentication (MFA) for protecting sensitive services and applications, you must configure Captive Portal to display a web form for ...
Enable Two-Factor Authentication Using One-Time Passwords (...
Enable Two-Factor Authentication Using One-Time Passwords (OTPs) Use this workflow to configure two-factor authentication using one-time passwords (OTPs) on the portal and gateways. When a ...