Palo Alto Networks Knowledgebase: Configuring Administrator Authentication with Windows 2008 RADIUS Server (NPS/IAS)

Configuring Administrator Authentication with Windows 2008 RADIUS Server (NPS/IAS)

13724
Created On 02/07/19 23:55 PM - Last Updated 02/07/19 23:55 PM
Resolution

Overview

This document describes the steps to configure admin authentication with a Windows 2008 RADIUS server.

The prerequisites for this configuration are:

  • L3 connectivity from the management interface or service route of the device to the RADIUS server.
  • A Windows 2008 server that can validate domain accounts.

Steps

Part 1: Configuring the Palo Alto Networks Firewall

  1. Go to Device > Server Profiles > RADIUS and define a RADIUS server
    sri.jpg
  2. Go to Device > Authentication Profile and define an Authentication Profile
    sri.jpg
  3. Go to Device > Admin Roles and define an Admin Role. In this case one for a vsys, not device wide:
    sri.jpg
  4. Go to Device > Access Domain and define an Access Domain
    sri.jpg
  5. Go to Device > Setup > Management > Authentication Settings and make sure to select the RADIUS Authentication profile created above
    sri.jpg
  6. Go to Device > Administrators and validate that the user needed to be authenticated is not pre-defined on the box.
    sri.jpg
  7. Commit the configuration

Part 2: Configuring the Windows 2008 server 1. (NPS Server Role required)
r6.png

  1. Click Start > Administrative Tools > Network Policy Server and open NPS settings
    r7.png
  2. Add the Palo Alto Networks device as a RADIUS client
    1. Open the RADIUS Clients and Servers section
    2. Select RADIUS Clients
    3. Right click and select ‘New RADIUS Client’
      r8.png
      Note: Only add a name, IP and shared secret. Leave the Vendor name on the standard setting, “RADIUS Standard”.
  3. After adding the clients, the list should look like this:
    r9.png
  4. Go to Policies and select Connection Request Policies. Make sure a policy for authenticating the users through Windows is configured/checked.
  5. Validate the Overview tab and make sure the Policy is enabled:
    r10.png
  6. Verify the Conditions tab
    r11.png
  7. Check the Settings tab where it is defined how the user is authenticated.
    r12.png
  8. Open the “Network Policies” section. Right-click on Network Policies and add a new policy.
    r13.png
  9. Give the policy a name
    r14.png
  10. Go to the Conditions tab and select which users can be authenticated (best by group designation):
    r15.png
  11. Go to the Constraints tab and make sure to enable “Unencrypted authentication (PAP, SPAP)"
    r16.png
  12. Go to the Settings tab and configure the VSAs (Vendor Specific Attributes) to be returned to map the user to the right Admin Role and Access Domain)
    1. Select Vendor Specific under the RADIUS Attributes section
      r17.png
    2. Click “Add” in the pane to the right
    3. Select “Custom” from the Vendor drop down list
    4. The only option left in the Attributes list now is “Vendor-Specific”
      r18.png
    5. Click Add. The Attribute Information window will be shown.
    6. Click Add on the left side to bring up the Vendor-Specific Attribute Information windowr19.png
    7. Define the VSAs
      1. Select “Enter Vendor Code” and enter “25461”.
      2. Make the selection “Yes. It conforms”, stipulating that the attribute conforms to the RADIUS RFC specifications for vendor specific attributes.
      3. Click “Configure Attribute…”
      4. The Admin Role is Vendor-assigned attribute number “1”.
      5. The Attribute format is “String”
      6. The Attribute value is the Admin Role name, in this example, “SE-Admin-Access”.
        r20.png
      7. Click OK.
      8. Click Add to configure a second attribute (if needed). Attribute number “2” is the Access Domain.
        r21.png
      9. The user needs to be configured in User-Group 5
        Note: The group can be used in a policy by typing/adding it manually in the appropriate rule.
      10. Different access/authorization options will be available by not only using “known” users (for general access), but the RADIUS returned group for more “secured” resources/rules.
      11. The list of attributes should look like this:
        r22.png
    8. Click “OK” until all options are saved.
      r23.png
    9. Optionally, right-click on the existing policy and select a desired action.
      r24.png

Part 3: Validate the setup

On the firewall

  1. Try a wrong password to see this System Log entry on the Palo Alto Networks firewall: Monitor > Logs > System
    sri.jpg
  2. With the right password, the login succeeds and lists these log entries:
    sri.jpg
  3. Check the access rights:
    sri.jpg


On the NPS side

  1. From the Event Viewer (Start > Administrative Tools > Event Viewer), look for:
    • Security Event 6272, “Network Policy Server Granted access to a user.”
    • Event 6278, “Network Policy Server granted full access to a user because the host met the defined health policy.”
  2. Select the Security log listed in the Windows Logs section
  3. Look for Task Category and the entry “Network Policy Server”

See Also

See the following for configuring similar setups:

owner: srommens



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGMCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language