Palo Alto Networks Knowledgebase: How to Configure RADIUS and AD 2008 Server

How to Configure RADIUS and AD 2008 Server

5338
Created On 02/07/19 23:52 PM - Last Updated 02/07/19 23:53 PM
Resolution

Steps

  1. Create RADUIS client: Friendly Name and IP Address:
    image001.png
  2. Create a Connection Request policy: Overview
    image004.jpg
  3. Conditions: Client Friendly Name, configure for the RADIUS client. Use the default options for  “setting.”)
    image005.png
  4. Completed Connection Request Policies setting:
    image007.png
    Network Policies settings:
    image010.jpg
    Condition: Add Window Group:
    image012.jpg
  5. Add Client Friendly Name:
    image014.jpg
  6. Use default value for Constraints (except for Authentication Method), and Setting options:
    image015.png
    Completed Network Policies:
    image018.jpg

 

Palo Alto Networks – RADIUS Authentication for Captive Portal

  1. RADIUS configuration
    image019.png
  2. Authenticate Profile > new > name > Edit Allow List > Select user or group
    Select Authentication and Server profiles.
    image021.png
  3. RADIUS Authenticated (Windows Security Log and PAN Authd.log)
    image024.jpg
    Firewall authd.log:
    Jul 09 22:44:56 pan_authd_loop(pan_authd.c:1852): Got a msg to authd
    Jul 09 22:44:56 pan_authd_loop(pan_authd.c:1862): recv'ed 1004 bytes from 127.0.0.1
    Jul 09 22:44:56 pan_authd_service_req(pan_authd.c:1687): pan_authd_service_req()
    Jul 09 22:44:56 pan_authd_service_req(pan_authd.c:1699): Authd:Trying to remote authenticate user: student9
    Jul 09 22:44:56 pan_authd_service_auth_req(pan_authd.c:721): pan_authd_service_auth_req()
    Jul 09 22:44:56 pan_authd_service_auth_req(pan_authd.c:738): AUTH Request <'vsys1','wt-RADIUS','student9'>
    Jul 09 22:44:56 pan_authd_handle_nonadmin_auths(pan_authd.c:1250): pan_authd_handle_nonadmin_auths()
    Jul 09 22:44:56 pan_auth_user_is_lockedout(pan_localdb_utils.c:386): locklist :searching for vsys vsys1, auth wt-RADIUS, user pan-training\student9
    Jul 09 22:44:56 pan_authenticate_radius_user()
    Jul 09 22:44:56 pan_process_radius_auth(pan_authd.c:527): pan_process_radius_auth()
    Jul 09 22:44:56 pan_get_system_cmd_output(pan_cfg_utils.c:2701): executing: /usr/local/bin/sdb -n cfg.fips-enabled 'cfg.fips-enabled': NO_MATCHES
    Jul 09 22:44:56 pan_process_radius_auth(pan_authd.c:542): Using radius config file /etc/raddb/pan_rad_vsys1_wt-RADIUS for user pan-training\student9
    Jul 09 22:44:56 authentication succeeded for user <vsys1,wt-RADIUS,pan-training\student9>
    Jul 09 22:44:56 User 'pan-training\student9' authenticated.
    Jul 09 22:44:56 pan_authd_send_auth_resp(pan_authd.c:1526): pan_authd_send_auth_resp
    Jul 09 22:44:56 pan_authd_send_auth_resp(pan_authd.c:1544): Sent the response to client

    Incorrect RADIUS password - Failed  (Windows-Security Log and PAN-authd.log):
    image025.png

    Jul 10 07:14:25 pan_authd_loop(pan_authd.c:1852): Got a msg to authd
    Jul 10 07:14:25 pan_authd_loop(pan_authd.c:1862): recv'ed 1004 bytes from 127.0.0.1
    Jul 10 07:14:25 pan_authd_service_req(pan_authd.c:1687): pan_authd_service_req()
    Jul 10 07:14:25 pan_authd_service_req(pan_authd.c:1699): Authd:Trying to remote authenticate user: student9
    Jul 10 07:14:25 pan_authd_service_auth_req(pan_authd.c:721): pan_authd_service_auth_req()
    Jul 10 07:14:25 pan_authd_service_auth_req(pan_authd.c:738): AUTH Request <'vsys1','wt-RADIUS','student9'>
    Jul 10 07:14:25 pan_authd_handle_nonadmin_auths(pan_authd.c:1250): pan_authd_handle_nonadmin_auths()
    Jul 10 07:14:25 pan_auth_user_is_lockedout(pan_localdb_utils.c:386): locklist :searching for vsys vsys1, auth wt-RADIUS, user pan-training\student9
    Jul 10 07:14:25 pan_authenticate_radius_user()
    Jul 10 07:14:25 pan_process_radius_auth(pan_authd.c:527): pan_process_radius_auth()
    Jul 10 07:14:25 pan_get_system_cmd_output(pan_cfg_utils.c:2701): executing: /usr/local/bin/sdb -n cfg.fips-enabled 'cfg.fips-enabled': NO_MATCHES
    Jul 10 07:14:25 pan_process_radius_auth(pan_authd.c:542): Using radius config file /etc/raddb/pan_rad_vsys1_wt-RADIUS for user pan-training\student9
    Jul 10 07:14:25 Error: pan_authenticate_radius_user(pan_authd.c:1219): Unexpected error from radius server -1
    Jul 10 07:14:25 User 'pan-training\student9' failed authentication. Reason: Invalid username/password
    Jul 10 07:14:25 pan_authd_send_auth_resp(pan_authd.c:1526): pan_authd_send_auth_resp
    Jul 10 07:14:25 pan_authd_send_auth_resp(pan_authd.c:1544): Sent the response to client

 

PAN- Authentication status:

> show user ip-user-mapping

 

IP              Ident. By User                            Idle Timeout (s) Max. Timeout (s)

--------------- --------- -------------------------------- ---------------- ----------------

  1. 10.30.11.220    AD pan-training\student20 735              735           
  2. 10.30.11.214    AD pan-training\student14 735              735           
  3. 10.30.11.219    AD pan-training\student19 735              735           
  4. 10.30.11.209    AD pan-training\student9 735              735           
  5. 10.30.11.212    AD pan-training\student12 735              735           
  6. 10.30.11.221    AD pan-training\student21 735              735           
  7. 10.30.11.218    AD pan-training\student18 735              735           
  8. 10.30.11.213    AD pan-training\student13 735              735           
  9. 10.30.11.216    AD pan-training\student16 735              735           
  10. 192.168.9.50 CP        pan-training\student9            300              353           
  11. 10.30.11.211    AD pan-training\student11 735              735           
  12. 10.30.11.224    AD pan-training\student24 735              735           
  13. 10.30.11.217    AD pan-training\student17 735              735           
  14. 10.30.11.24    AD pan-training\student4 735              735           
  15. 10.30.11.210    AD pan-training\student10 735              735           

Total: 15 users

 

> show user pan-agent user-IDs match-user student9

 

User Name                      Vsys    Groups

------------------------------------------------------------------

pan-training\student9          vsys1  pan-training\students

 

owner: wtam



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMJCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language