Configuring Administrator Authentication with Windows 2008 RADIUS Server (NPS/IAS)

Configuring Administrator Authentication with Windows 2008 RADIUS Server (NPS/IAS)

Created On 09/25/18 17:30 PM - Last Updated 04/20/20 22:37 PM



This document describes the steps to configure admin authentication with a Windows 2008 RADIUS server.

The prerequisites for this configuration are:

  • L3 connectivity from the management interface or service route of the device to the RADIUS server.
  • A Windows 2008 server that can validate domain accounts.


Part 1: Configuring the Palo Alto Networks Firewall

  1. Go to Device > Server Profiles > RADIUS and define a RADIUS server
  2. Go to Device > Authentication Profile and define an Authentication Profile
  3. Go to Device > Admin Roles and define an Admin Role. In this case one for a vsys, not device wide:
  4. Go to Device > Access Domain and define an Access Domain
  5. Go to Device > Setup > Management > Authentication Settings and make sure to select the RADIUS Authentication profile created above
  6. Go to Device > Administrators and validate that the user needed to be authenticated is not pre-defined on the box.
  7. Commit the configuration

Part 2: Configuring the Windows 2008 server 1. (NPS Server Role required)

  1. Click Start > Administrative Tools > Network Policy Server and open NPS settings
  2. Add the Palo Alto Networks device as a RADIUS client
    1. Open the RADIUS Clients and Servers section
    2. Select RADIUS Clients
    3. Right click and select ‘New RADIUS Client’
      Note: Only add a name, IP and shared secret. Leave the Vendor name on the standard setting, “RADIUS Standard”.
  3. After adding the clients, the list should look like this:
  4. Go to Policies and select Connection Request Policies. Make sure a policy for authenticating the users through Windows is configured/checked.
  5. Validate the Overview tab and make sure the Policy is enabled:
  6. Verify the Conditions tab
  7. Check the Settings tab where it is defined how the user is authenticated.
  8. Open the “Network Policies” section. Right-click on Network Policies and add a new policy.
  9. Give the policy a name
  10. Go to the Conditions tab and select which users can be authenticated (best by group designation):
  11. Go to the Constraints tab and make sure to enable “Unencrypted authentication (PAP, SPAP)"
  12. Go to the Settings tab and configure the VSAs (Vendor Specific Attributes) to be returned to map the user to the right Admin Role and Access Domain)
    1. Select Vendor Specific under the RADIUS Attributes section
    2. Click “Add” in the pane to the right
    3. Select “Custom” from the Vendor drop down list
    4. The only option left in the Attributes list now is “Vendor-Specific”
    5. Click Add. The Attribute Information window will be shown.
    6. Click Add on the left side to bring up the Vendor-Specific Attribute Information windowr19.png
    7. Define the VSAs
      1. Select “Enter Vendor Code” and enter “25461”.
      2. Make the selection “Yes. It conforms”, stipulating that the attribute conforms to the RADIUS RFC specifications for vendor specific attributes.
      3. Click “Configure Attribute…”
      4. The Admin Role is Vendor-assigned attribute number “1”.
      5. The Attribute format is “String”
      6. The Attribute value is the Admin Role name, in this example, “SE-Admin-Access”.
      7. Click OK.
      8. Click Add to configure a second attribute (if needed). Attribute number “2” is the Access Domain.
      9. The user needs to be configured in User-Group 5
        Note: The group can be used in a policy by typing/adding it manually in the appropriate rule.
      10. Different access/authorization options will be available by not only using “known” users (for general access), but the RADIUS returned group for more “secured” resources/rules.
      11. The list of attributes should look like this:
    8. Click “OK” until all options are saved.
    9. Optionally, right-click on the existing policy and select a desired action.

Part 3: Validate the setup

On the firewall

  1. Try a wrong password to see this System Log entry on the Palo Alto Networks firewall: Monitor > Logs > System
  2. With the right password, the login succeeds and lists these log entries:
  3. Check the access rights:

On the NPS side

  1. From the Event Viewer (Start > Administrative Tools > Event Viewer), look for:
    • Security Event 6272, “Network Policy Server Granted access to a user.”
    • Event 6278, “Network Policy Server granted full access to a user because the host met the defined health policy.”
  2. Select the Security log listed in the Windows Logs section
  3. Look for Task Category and the entry “Network Policy Server”

See Also

See the following for configuring similar setups:

owner: srommens

  • Print
  • Copy Link

Choose Language