Focus

RADIUS

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
AIOps
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

TACACS+

LDAP

RADIUS

Remote Authentication Dial-In User Service (RADIUS) is a broadly supported networking protocol that provides centralized authentication and authorization. You can configure RADIUS authentication for end users or administrators on the firewall and for administrators on Panorama. Optionally, you can use RADIUS Vendor-Specific Attributes (VSAs) to manage administrator authorization. RADIUS VSAs enable you to quickly change the roles, access domains, and user groups of administrators through your directory service instead of reconfiguring settings on the firewall and Panorama. You can also configure the firewall to use a RADIUS server for:

Collecting VSAs from GlobalProtect endpoints.
Implementing Multi-Factor Authentication.

When sending authentication requests to a RADIUS server, the firewall and Panorama use the authentication profile name as the network access server (NAS) identifier, even if the profile is assigned to an authentication sequence for the service (such as administrative access to the web interface) that initiates the authentication process.

The firewall and Panorama support the following RADIUS VSAs. To define VSAs on a RADIUS server, you must specify the vendor code (25461 for Palo Alto Networks firewalls or Panorama) and the VSA name and number. Some VSAs also require a value. Refer to your RADIUS server documentation for the steps to define these VSAs.

Alternatively, you can download the Palo Alto Networks RADIUS dictionary, which defines the authentication attributes that the Palo Alto Networks firewall and a RADIUS server use to communicate with each other, and install it on your RADIUS server to map the attributes to the RADIUS binary data.

When you predefine dynamic administrator roles for users on the server, use lower-case to specify the role (for example, enter superuser, not SuperUser).

When configuring the advanced vendor options on a Cisco Secure Access Control Server (ACS), you must set both the Vendor Length Field Size and Vendor Type Field Size to 1. Otherwise, authentication will fail.

Name	Number	Value
VSAs for administrator account management and authentication
PaloAlto-Admin-Role	1	A default (dynamic) administrative role name or a custom administrative role name on the firewall.
PaloAlto-Admin-Access-Domain	2	The name of an access domain for firewall administrators (configured in the DeviceAccess Domains page). Define this VSA if the firewall has multiple virtual systems.
PaloAlto-Panorama-Admin-Role	3	A default (dynamic) administrative role name or a custom administrative role name on Panorama.
PaloAlto-Panorama-Admin-Access-Domain	4	The name of an access domain for Device Group and Template administrators (configured in the PanoramaAccess Domains page).
PaloAlto-User-Group	5	The name of a user group that an authentication profile references.
VSAs forwarded from GlobalProtect endpoints to the RADIUS server
PaloAlto-User-Domain	6	Don’t specify a value when you define these VSAs.
PaloAlto-Client-Source-IP	7
PaloAlto-Client-OS	8
PaloAlto-Client-Hostname	9
PaloAlto-GlobalProtect-Client-Version	10

TACACS+

LDAP

Next-Generation Firewall Docs

RADIUS

Next-Generation Firewall Docs

RADIUS

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner