How to Configure RADIUS and AD 2008 Server

Steps

1. Create RADUIS client: Friendly Name and IP Address:
   
2. Create a Connection Request policy: Overview
   
3. Conditions: Client Friendly Name, configure for the RADIUS client. Use the default options for  “setting.”)
   
4. Completed Connection Request Policies setting:
   
   Network Policies settings:
   
   Condition: Add Window Group:
   
5. Add Client Friendly Name:
   
6. Use default value for Constraints (except for Authentication Method), and Setting options:
   
   Completed Network Policies:
   

Palo Alto Networks – RADIUS Authentication for Captive Portal

1. RADIUS configuration
   
2. Authenticate Profile > new > name > Edit Allow List > Select user or group
   Select Authentication and Server profiles.
   
3. RADIUS Authenticated (Windows Security Log and PAN Authd.log)
   
   Firewall authd.log:
   Jul 09 22:44:56 pan_authd_loop(pan_authd.c:1852): Got a msg to authd
   Jul 09 22:44:56 pan_authd_loop(pan_authd.c:1862): recv'ed 1004 bytes from 127.0.0.1
   Jul 09 22:44:56 pan_authd_service_req(pan_authd.c:1687): pan_authd_service_req()
   Jul 09 22:44:56 pan_authd_service_req(pan_authd.c:1699): Authd:Trying to remote authenticate user: student9
   Jul 09 22:44:56 pan_authd_service_auth_req(pan_authd.c:721): pan_authd_service_auth_req()
   Jul 09 22:44:56 pan_authd_service_auth_req(pan_authd.c:738): AUTH Request <'vsys1','wt-RADIUS','student9'>
   Jul 09 22:44:56 pan_authd_handle_nonadmin_auths(pan_authd.c:1250): pan_authd_handle_nonadmin_auths()
   Jul 09 22:44:56 pan_auth_user_is_lockedout(pan_localdb_utils.c:386): locklist :searching for vsys vsys1, auth wt-RADIUS, user pan-training\student9
   Jul 09 22:44:56 pan_authenticate_radius_user()
   Jul 09 22:44:56 pan_process_radius_auth(pan_authd.c:527): pan_process_radius_auth()
   Jul 09 22:44:56 pan_get_system_cmd_output(pan_cfg_utils.c:2701): executing: /usr/local/bin/sdb -n cfg.fips-enabled 'cfg.fips-enabled': NO_MATCHES
   Jul 09 22:44:56 pan_process_radius_auth(pan_authd.c:542): Using radius config file /etc/raddb/pan_rad_vsys1_wt-RADIUS for user pan-training\student9
   Jul 09 22:44:56 authentication succeeded for user <vsys1,wt-RADIUS,pan-training\student9>
   Jul 09 22:44:56 User 'pan-training\student9' authenticated.
   Jul 09 22:44:56 pan_authd_send_auth_resp(pan_authd.c:1526): pan_authd_send_auth_resp
   Jul 09 22:44:56 pan_authd_send_auth_resp(pan_authd.c:1544): Sent the response to client
   
   Incorrect RADIUS password - Failed  (Windows-Security Log and PAN-authd.log):
   
   
   Jul 10 07:14:25 pan_authd_loop(pan_authd.c:1852): Got a msg to authd
   Jul 10 07:14:25 pan_authd_loop(pan_authd.c:1862): recv'ed 1004 bytes from 127.0.0.1
   Jul 10 07:14:25 pan_authd_service_req(pan_authd.c:1687): pan_authd_service_req()
   Jul 10 07:14:25 pan_authd_service_req(pan_authd.c:1699): Authd:Trying to remote authenticate user: student9
   Jul 10 07:14:25 pan_authd_service_auth_req(pan_authd.c:721): pan_authd_service_auth_req()
   Jul 10 07:14:25 pan_authd_service_auth_req(pan_authd.c:738): AUTH Request <'vsys1','wt-RADIUS','student9'>
   Jul 10 07:14:25 pan_authd_handle_nonadmin_auths(pan_authd.c:1250): pan_authd_handle_nonadmin_auths()
   Jul 10 07:14:25 pan_auth_user_is_lockedout(pan_localdb_utils.c:386): locklist :searching for vsys vsys1, auth wt-RADIUS, user pan-training\student9
   Jul 10 07:14:25 pan_authenticate_radius_user()
   Jul 10 07:14:25 pan_process_radius_auth(pan_authd.c:527): pan_process_radius_auth()
   Jul 10 07:14:25 pan_get_system_cmd_output(pan_cfg_utils.c:2701): executing: /usr/local/bin/sdb -n cfg.fips-enabled 'cfg.fips-enabled': NO_MATCHES
   Jul 10 07:14:25 pan_process_radius_auth(pan_authd.c:542): Using radius config file /etc/raddb/pan_rad_vsys1_wt-RADIUS for user pan-training\student9
   Jul 10 07:14:25 Error: pan_authenticate_radius_user(pan_authd.c:1219): Unexpected error from radius server -1
   Jul 10 07:14:25 User 'pan-training\student9' failed authentication. Reason: Invalid username/password
   Jul 10 07:14:25 pan_authd_send_auth_resp(pan_authd.c:1526): pan_authd_send_auth_resp
   Jul 10 07:14:25 pan_authd_send_auth_resp(pan_authd.c:1544): Sent the response to client

PAN- Authentication status:

> show user ip-user-mapping

IP              Ident. By User                            Idle Timeout (s) Max. Timeout (s)

--------------- --------- -------------------------------- ---------------- ----------------

1. 10.30.11.220    AD pan-training\student20 735              735           
2. 10.30.11.214    AD pan-training\student14 735              735           
3. 10.30.11.219    AD pan-training\student19 735              735           
4. 10.30.11.209    AD pan-training\student9 735              735           
5. 10.30.11.212    AD pan-training\student12 735              735           
6. 10.30.11.221    AD pan-training\student21 735              735           
7. 10.30.11.218    AD pan-training\student18 735              735           
8. 10.30.11.213    AD pan-training\student13 735              735           
9. 10.30.11.216    AD pan-training\student16 735              735           
10. 192.168.9.50 CP        pan-training\student9            300              353           
11. 10.30.11.211    AD pan-training\student11 735              735           
12. 10.30.11.224    AD pan-training\student24 735              735           
13. 10.30.11.217    AD pan-training\student17 735              735           
14. 10.30.11.24    AD pan-training\student4 735              735           
15. 10.30.11.210    AD pan-training\student10 735              735           

Total: 15 users

> show user pan-agent user-IDs match-user student9

User Name                      Vsys    Groups

------------------------------------------------------------------

pan-training\student9          vsys1  pan-training\students

owner: wtam