Remote Authentication Dial-In User Service (RADIUS)
is a broadly supported networking protocol that provides centralized
authentication and authorization. You can configure RADIUS authentication
for end users or administrators on the firewall and for
administrators on Panorama. Optionally, you can use RADIUS
Vendor-Specific Attributes (VSAs) to manage administrator authorization.
RADIUS VSAs enable you to quickly change the roles, access domains,
and user groups of administrators through your directory service instead
of reconfiguring settings on the firewall and Panorama. You can
also configure the firewall to use a RADIUS server for:
When sending authentication requests to a RADIUS server, the
firewall and Panorama use the authentication profile name as the
network access server (NAS) identifier, even if the profile is assigned
to an authentication sequence for the service (such as administrative
access to the web interface) that initiates the authentication process.
The firewall and Panorama support the following RADIUS VSAs.
To define VSAs on a RADIUS server, you must specify the vendor code
(25461 for Palo Alto Networks firewalls or Panorama) and the VSA
name and number. Some VSAs also require a value. Refer to your RADIUS
server documentation for the steps to define these VSAs.
Alternatively, you can download the Palo Alto Networks RADIUS dictionary,
which defines the authentication attributes that the Palo Alto Networks
firewall and a RADIUS server use to communicate with each other,
and install it on your RADIUS server to map the attributes to the
RADIUS binary data.
When you predefine dynamic administrator roles for users on
the server, use lower-case to specify the role (for example, enter
When configuring the advanced vendor options
on a Cisco Secure Access Control Server (ACS), you must set both