How to Configure User-Group Based VPN Authentication Using Secure RSA

Overview

When it comes to authenticating users based on the user-groups, most of the deployments make use of LDAP authentication profile. This document describes the configuration that is required on the Palo Alto Networks firewall and sheds some light on how to pull the Palo Alto Networks User Group Attribute to ensure successful user-group based VPN authentication using secure RSA.

prerequisite: group information on the Palo Alto Networks firewall needs to be populated through an LDAP profile as described in this article: How to Configure Active Directory Server Profile for Group Mapping and Authentication before starting these configuration steps

Steps

1. Go to Device > Server Profiles > RADIUS and add a RADIUS server.
   
2. Go to Device > Authentication Profile and create a RADIUS authentication profile by referencing the RADIUS server profile created in Step 1.
   
   Shown in the above screenshot, see that although we have referenced the LDAP user groups in the allow list, we are making use of RADIUS server profile to relay the Authentication request to the RADIUS server. Please note that Authentication will NOT happen on the Palo Alto Networks firewall. Instead, it takes place on the RADIUS server. As a result, the RADIUS server should have the capability to pass the user-group information highlighted in the below screenshot, which is possible through "Palo Alto Networks Dictionary file".
   

Palo Alto Networks Dictionary installs on the RADIUS server and defines authentication attributes needed for communication between a Palo Alto Networks firewall and the RADIUS server.

See Also

To download the dictionary file and for more information, reference the following link: RADIUS Dictionary

owner: tshivkumar