Configuring Administrator Authentication with Windows 2008 RADIUS Server (NPS/IAS)
93810
Created On 09/25/18 17:30 PM - Last Modified 06/01/23 03:29 AM
Resolution
Overview
This document describes the steps to configure admin authentication with a Windows 2008 RADIUS server.
The prerequisites for this configuration are:
- L3 connectivity from the management interface or service route of the device to the RADIUS server.
- A Windows 2008 server that can validate domain accounts.
Steps
Part 1: Configuring the Palo Alto Networks Firewall
- Go to Device > Server Profiles > RADIUS and define a RADIUS server
- Go to Device > Authentication Profile and define an Authentication Profile
- Go to Device > Admin Roles and define an Admin Role. In this case one for a vsys, not device wide:
- Go to Device > Access Domain and define an Access Domain
- Go to Device > Setup > Management > Authentication Settings and make sure to select the RADIUS Authentication profile created above
- Go to Device > Administrators and validate that the user needed to be authenticated is not pre-defined on the box.
- Commit the configuration
Part 2: Configuring the Windows 2008 server 1. (NPS Server Role required)
- Click Start > Administrative Tools > Network Policy Server and open NPS settings
- Add the Palo Alto Networks device as a RADIUS client
- Open the RADIUS Clients and Servers section
- Select RADIUS Clients
- Right click and select ‘New RADIUS Client’
Note: Only add a name, IP and shared secret. Leave the Vendor name on the standard setting, “RADIUS Standard”.
- After adding the clients, the list should look like this:
- Go to Policies and select Connection Request Policies. Make sure a policy for authenticating the users through Windows is configured/checked.
- Validate the Overview tab and make sure the Policy is enabled:
- Verify the Conditions tab
- Check the Settings tab where it is defined how the user is authenticated.
- Open the “Network Policies” section. Right-click on Network Policies and add a new policy.
- Give the policy a name
- Go to the Conditions tab and select which users can be authenticated (best by group designation):
- Go to the Constraints tab and make sure to enable “Unencrypted authentication (PAP, SPAP)"
- Go to the Settings tab and configure the VSAs (Vendor Specific Attributes) to be returned to map the user to the right Admin Role and Access Domain)
- Select Vendor Specific under the RADIUS Attributes section
- Click “Add” in the pane to the right
- Select “Custom” from the Vendor drop down list
- The only option left in the Attributes list now is “Vendor-Specific”
- Click Add. The Attribute Information window will be shown.
- Click Add on the left side to bring up the Vendor-Specific Attribute Information window
- Define the VSAs
- Select “Enter Vendor Code” and enter “25461”.
- Make the selection “Yes. It conforms”, stipulating that the attribute conforms to the RADIUS RFC specifications for vendor specific attributes.
- Click “Configure Attribute…”
- The Admin Role is Vendor-assigned attribute number “1”.
- The Attribute format is “String”
- The Attribute value is the Admin Role name, in this example, “SE-Admin-Access”.
- Click OK.
- Click Add to configure a second attribute (if needed). Attribute number “2” is the Access Domain.
- The user needs to be configured in User-Group 5
Note: The group can be used in a policy by typing/adding it manually in the appropriate rule. - Different access/authorization options will be available by not only using “known” users (for general access), but the RADIUS returned group for more “secured” resources/rules.
- The list of attributes should look like this:
- Click “OK” until all options are saved.
- Optionally, right-click on the existing policy and select a desired action.
- Select Vendor Specific under the RADIUS Attributes section
Part 3: Validate the setup
On the firewall
- Try a wrong password to see this System Log entry on the Palo Alto Networks firewall: Monitor > Logs > System
- With the right password, the login succeeds and lists these log entries:
- Check the access rights:
On the NPS side
- From the Event Viewer (Start > Administrative Tools > Event Viewer), look for:
- Security Event 6272, “Network Policy Server Granted access to a user.”
- Event 6278, “Network Policy Server granted full access to a user because the host met the defined health policy.”
- Select the Security log listed in the Windows Logs section
- Look for Task Category and the entry “Network Policy Server”
See Also
See the following for configuring similar setups:
owner: srommens