How to Configure RADIUS and AD 2008 Server
22260
Created On 09/25/18 17:59 PM - Last Modified 05/31/23 21:52 PM
Resolution
Steps
- Create RADUIS client: Friendly Name and IP Address:
- Create a Connection Request policy: Overview
- Conditions: Client Friendly Name, configure for the RADIUS client. Use the default options for “setting.”)
- Completed Connection Request Policies setting:
Network Policies settings:
Condition: Add Window Group:
- Add Client Friendly Name:
- Use default value for Constraints (except for Authentication Method), and Setting options:
Completed Network Policies:
Palo Alto Networks – RADIUS Authentication for Captive Portal
- RADIUS configuration
- Authenticate Profile > new > name > Edit Allow List > Select user or group
Select Authentication and Server profiles.
- RADIUS Authenticated (Windows Security Log and PAN Authd.log)
Firewall authd.log:
Jul 09 22:44:56 pan_authd_loop(pan_authd.c:1852): Got a msg to authd
Jul 09 22:44:56 pan_authd_loop(pan_authd.c:1862): recv'ed 1004 bytes from 127.0.0.1
Jul 09 22:44:56 pan_authd_service_req(pan_authd.c:1687): pan_authd_service_req()
Jul 09 22:44:56 pan_authd_service_req(pan_authd.c:1699): Authd:Trying to remote authenticate user: student9
Jul 09 22:44:56 pan_authd_service_auth_req(pan_authd.c:721): pan_authd_service_auth_req()
Jul 09 22:44:56 pan_authd_service_auth_req(pan_authd.c:738): AUTH Request <'vsys1','wt-RADIUS','student9'>
Jul 09 22:44:56 pan_authd_handle_nonadmin_auths(pan_authd.c:1250): pan_authd_handle_nonadmin_auths()
Jul 09 22:44:56 pan_auth_user_is_lockedout(pan_localdb_utils.c:386): locklist :searching for vsys vsys1, auth wt-RADIUS, user pan-training\student9
Jul 09 22:44:56 pan_authenticate_radius_user()
Jul 09 22:44:56 pan_process_radius_auth(pan_authd.c:527): pan_process_radius_auth()
Jul 09 22:44:56 pan_get_system_cmd_output(pan_cfg_utils.c:2701): executing: /usr/local/bin/sdb -n cfg.fips-enabled 'cfg.fips-enabled': NO_MATCHES
Jul 09 22:44:56 pan_process_radius_auth(pan_authd.c:542): Using radius config file /etc/raddb/pan_rad_vsys1_wt-RADIUS for user pan-training\student9
Jul 09 22:44:56 authentication succeeded for user <vsys1,wt-RADIUS,pan-training\student9>
Jul 09 22:44:56 User 'pan-training\student9' authenticated.
Jul 09 22:44:56 pan_authd_send_auth_resp(pan_authd.c:1526): pan_authd_send_auth_resp
Jul 09 22:44:56 pan_authd_send_auth_resp(pan_authd.c:1544): Sent the response to client
Incorrect RADIUS password - Failed (Windows-Security Log and PAN-authd.log):
Jul 10 07:14:25 pan_authd_loop(pan_authd.c:1852): Got a msg to authd
Jul 10 07:14:25 pan_authd_loop(pan_authd.c:1862): recv'ed 1004 bytes from 127.0.0.1
Jul 10 07:14:25 pan_authd_service_req(pan_authd.c:1687): pan_authd_service_req()
Jul 10 07:14:25 pan_authd_service_req(pan_authd.c:1699): Authd:Trying to remote authenticate user: student9
Jul 10 07:14:25 pan_authd_service_auth_req(pan_authd.c:721): pan_authd_service_auth_req()
Jul 10 07:14:25 pan_authd_service_auth_req(pan_authd.c:738): AUTH Request <'vsys1','wt-RADIUS','student9'>
Jul 10 07:14:25 pan_authd_handle_nonadmin_auths(pan_authd.c:1250): pan_authd_handle_nonadmin_auths()
Jul 10 07:14:25 pan_auth_user_is_lockedout(pan_localdb_utils.c:386): locklist :searching for vsys vsys1, auth wt-RADIUS, user pan-training\student9
Jul 10 07:14:25 pan_authenticate_radius_user()
Jul 10 07:14:25 pan_process_radius_auth(pan_authd.c:527): pan_process_radius_auth()
Jul 10 07:14:25 pan_get_system_cmd_output(pan_cfg_utils.c:2701): executing: /usr/local/bin/sdb -n cfg.fips-enabled 'cfg.fips-enabled': NO_MATCHES
Jul 10 07:14:25 pan_process_radius_auth(pan_authd.c:542): Using radius config file /etc/raddb/pan_rad_vsys1_wt-RADIUS for user pan-training\student9
Jul 10 07:14:25 Error: pan_authenticate_radius_user(pan_authd.c:1219): Unexpected error from radius server -1
Jul 10 07:14:25 User 'pan-training\student9' failed authentication. Reason: Invalid username/password
Jul 10 07:14:25 pan_authd_send_auth_resp(pan_authd.c:1526): pan_authd_send_auth_resp
Jul 10 07:14:25 pan_authd_send_auth_resp(pan_authd.c:1544): Sent the response to client
PAN- Authentication status:
> show user ip-user-mapping
IP Ident. By User Idle Timeout (s) Max. Timeout (s)
--------------- --------- -------------------------------- ---------------- ----------------
- 10.30.11.220 AD pan-training\student20 735 735
- 10.30.11.214 AD pan-training\student14 735 735
- 10.30.11.219 AD pan-training\student19 735 735
- 10.30.11.209 AD pan-training\student9 735 735
- 10.30.11.212 AD pan-training\student12 735 735
- 10.30.11.221 AD pan-training\student21 735 735
- 10.30.11.218 AD pan-training\student18 735 735
- 10.30.11.213 AD pan-training\student13 735 735
- 10.30.11.216 AD pan-training\student16 735 735
- 192.168.9.50 CP pan-training\student9 300 353
- 10.30.11.211 AD pan-training\student11 735 735
- 10.30.11.224 AD pan-training\student24 735 735
- 10.30.11.217 AD pan-training\student17 735 735
- 10.30.11.24 AD pan-training\student4 735 735
- 10.30.11.210 AD pan-training\student10 735 735
Total: 15 users
> show user pan-agent user-IDs match-user student9
User Name Vsys Groups
------------------------------------------------------------------
pan-training\student9 vsys1 pan-training\students
owner: wtam