Configuring Windows 2008 R2 RADIUS Authentication

Configuring Windows 2008 R2 RADIUS Authentication

18797
Created On 09/25/18 19:50 PM - Last Modified 04/21/20 00:46 AM


Resolution

In order to authenticate the Palo Alto Networks firewall and Panorama administrators with the RADIUS server (Win2K8 R2), first you need to take action on the firewall. 

 

First let's work on the firewall. 

 

  • Create an authentication profile for the RADIUS server.
    • Server Profile –

 

 1.png

 

Radius Repl is the server profile configured with the 10.66.22.193 server as the server.

 Configure the Authentication Profile –

 2.png

 

In the above figure test Radius is the Authentication Profile with Radius Repl assigned as the server profile.

  1.  Configure the management authentication settings to use the Radius Authentication Profile.
    • Management profile –
    • If the firewall is not using the management interface to contact the server, then change the service route to the interface that connects to the server.

 4.png

 

 

On the Panorama –

 

  • Create an authentication profile for the RADIUS server.
    • Server Profile –

 5.png

 

 

 

Radius Repl is the server profile configured with the 10.66.22.193 server as the server.

 

  • Authentication Profile –

 6.png

 

In the above figure testRadius is the Authentication Profile with Radius Repl assigned as the server profile.

 

  

  • Configure the management authentication settings to use the Radius Authentication Profile.
    • Management profile –

 7.png

 

 Configure an Admin role on the Panorama. Create as many admin roles as the number of administrators.

 

 8.png

 

On the Radius server (The below configuration is valid for both the firewall and Panorama) –

  1.  Create a new Radius Client on the Network Policy Server.
    The IP address should be the ip address of the firewall interface that connects to the RADIUS server. It is the management ip address for Panorama.9.png
  2. Create a Network Policy. The order of the Network policy is important, so make sure the once with the higher priority are listed on the top.
  3. Under the policies, create a “Network policy” for the Panorama device with the following.
    Type of network access server – unspecified.10.png
  4. next Condition –Client ipv4 address – the ip address of the interface that connects to the RADIUS server (management ip address for panorama)
  5. NextConstraints – CHAP or PAP for PAN OS 7.0.x and below and PAP for 6.1.x and below.
  6. Next, Configure Settings. > Vendor Specific. Attributes > Add > Add Vendor Specific Attributes > Vendor Specific > Attribute Information > Add
  7. Edit the vendor-Specific Attribute Information 
    • Vendor code – 25461
    • Yes, it confirms.13.pngConfigure attributes
    • Attribute number – 1 or 2 (Firewall) and 3 or 4 (Panorama)
    • Attribute format – String
    • Attribute value - superuser
    • OK

 14.png

 

Finish

 

  • Create as many users as the number of administrators in the Active Directory Users and Computers with all permissions. (For Panorama, the user should be the same as the Admin role created on the Panorama).

 

  • Start -> All Programs -> Administrative tools -> Active Directory Users and Computers
    • Right Click on Users -> Add new user

 15.png

 

 

Next ->

 

 16.png

 

  • Make sure the “Password Never Expires” is checked.

 

Next > Finish.

 

  • The user should be able to log in to the firewall with the user account created on the RADIUS server.
  • The user should still be able to log in to both the firewall and Panorama with the domain specified on the Authentication Profile of both the  firewall and the Panorama device.

 

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClflCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language