In order to authenticate the Palo Alto Networks firewall and Panorama administrators with the RADIUS server (Win2K8 R2), first you need to take action on the firewall.
First let's work on the firewall.
Create an authentication profile for the RADIUS server.
Server Profile –
Radius Repl is the server profile configured with the 10.66.22.193 server as the server.
Configure the Authentication Profile –
In the above figure test Radius is the Authentication Profile with Radius Repl assigned as the server profile.
Configure the management authentication settings to use the Radius Authentication Profile.
Management profile –
If the firewall is not using the management interface to contact the server, then change the service route to the interface that connects to the server.
On the Panorama –
Create an authentication profile for the RADIUS server.
Server Profile –
Radius Repl is the server profile configured with the 10.66.22.193 server as the server.
Authentication Profile –
In the above figure testRadius is the Authentication Profile with Radius Repl assigned as the server profile.
Configure the management authentication settings to use the Radius Authentication Profile.
Management profile –
Configure an Admin role on the Panorama. Create as many admin roles as the number of administrators.
On the Radius server (The below configuration is valid for both the firewall and Panorama) –
Create a new Radius Client on the Network Policy Server. The IP address should be the ip address of the firewall interface that connects to the RADIUS server. It is the management ip address for Panorama.
Create a Network Policy. The order of the Network policy is important, so make sure the once with the higher priority are listed on the top.
Under the policies, create a “Network policy” for the Panorama device with the following. Type of network access server – unspecified.
next Condition –Client ipv4 address – the ip address of the interface that connects to the RADIUS server (management ip address for panorama)
NextConstraints – CHAP or PAP for PAN OS 7.0.x and below and PAP for 6.1.x and below.
Next, Configure Settings. > Vendor Specific. Attributes > Add > Add Vendor Specific Attributes > Vendor Specific > Attribute Information > Add
Edit the vendor-Specific Attribute Information
Vendor code – 25461
Yes, it confirms.Configure attributes
Attribute number – 1 or 2 (Firewall) and 3 or 4 (Panorama)
Attribute format – String
Attribute value - superuser
OK
Finish
Create as many users as the number of administrators in the Active Directory Users and Computers with all permissions. (For Panorama, the user should be the same as the Admin role created on the Panorama).
Start -> All Programs -> Administrative tools -> Active Directory Users and Computers
Right Click on Users -> Add new user
Next ->
Make sure the “Password Never Expires” is checked.
Next > Finish.
The user should be able to log in to the firewall with the user account created on the RADIUS server.
The user should still be able to log in to both the firewall and Panorama with the domain specified on the Authentication Profile of both the firewall and the Panorama device.