Overview
This document outlines how the RADIUS servers defined in a RADIUS profile are used during authentication attempts.
Details
The Palo Alto Networks device attempts a socket request through RADIUS auth request packet to each server in the list. The order of servers for the authentication attempts is based on the configured order.
For example
Three RADIUS Server Profiles are configured at Device > Server Profiles > RADIUS:
- Server 1 - 10.46.48.95
- Server 2 - 10.46.48.96
- Server 3 - 10.46.48.97
The profiles for the RADIUS servers in the configuration is as follows:
set vsys vsys2 server-profile radius radius-auth-1 server srvr-1 secret -AQ==TA0rlR/6vW+aEEidxA/DVuwdJtU=sh7o9V7gbphma3iMCxtP/Q==
set vsys vsys2 server-profile radius radius-auth-1 server srvr-1 port 1812
set vsys vsys2 server-profile radius radius-auth-1 server srvr-1 ip-address 10.46.48.95
set vsys vsys2 server-profile radius radius-auth-1 server srvr-2 secret -AQ==TA0rlR/6vW+aEEidxA/DVuwdJtU=sh7o9V7gbphma3iMCxtP/Q==
set vsys vsys2 server-profile radius radius-auth-1 server srvr-2 port 1812
set vsys vsys2 server-profile radius radius-auth-1 server srvr-2 ip-address 10.46.48.96
set vsys vsys2 server-profile radius radius-auth-1 server srvr-3 secret -AQ==TA0rlR/6vW+aEEidxA/DVuwdJtU=sh7o9V7gbphma3iMCxtP/Q==
set vsys vsys2 server-profile radius radius-auth-1 server srvr-3 port 1812
set vsys vsys2 server-profile radius radius-auth-1 server srvr-3 ip-address 10.46.48.97
set vsys vsys2 server-profile radius radius-auth-1 checkgroup no
set vsys vsys2 server-profile radius radius-auth-1 timeout 3
set vsys vsys2 server-profile radius radius-auth-1 retries 3
The Palo Alto Networks device will make three attempts to each server in succession at 3 second intervals. The interval is based on the timeout value configured (default 3 seconds).
- Transmit 3 radius auth request packets to server-1
- Transmit 3 radius auth request packets to server-2
- Transmit 3 radius auth request packets to server-3
Example scenario with packet capture:
Server-3 is the only server responding to RADIUS authentication requests. In this scenario, the timeout interval for the example output below is 1 second. The following packet capture example shows the three attempts made on server-1 and server-2. A successful attempt was made to server-3:
02:44:26.870888 IP 10.46.32.5.55990 > 10.46.48.95.radius: RADIUS, Access Request (1), id: 0x23 length: 66
02:44:27.871910 IP 10.46.32.5.55990 > 10.46.48.95.radius: RADIUS, Access Request (1), id: 0x23 length: 66
02:44:28.872957 IP 10.46.32.5.55990 > 10.46.48.95.radius: RADIUS, Access Request (1), id: 0x23 length: 66
02:44:29.874032 IP 10.46.32.5.55990 > 10.46.48.96.radius: RADIUS, Access Request (1), id: 0x23 length: 66
02:44:30.875082 IP 10.46.32.5.55990 > 10.46.48.96.radius: RADIUS, Access Request (1), id: 0x23 length: 66
02:44:31.876130 IP 10.46.32.5.55990 > 10.46.48.96.radius: RADIUS, Access Request (1), id: 0x23 length: 66
02:44:32.877199 IP 10.46.32.5.55990 > 10.46.48.97.radius: RADIUS, Access Request (1), id: 0x23 length: 66
02:44:32.878431 IP 10.46.48.97.radius > 10.46.32.5.55990: RADIUS, Access Accept (2), id: 0x23 length: 37
Another example scenario:
Server-2 is the only server responding to RADIUS authorization requests.
In this scenario, the Palo Alto Networks device transmits three auth requests to server-1, at the timeout interval, then, to server-2. If server-2 responds, no further attempts are made.
owner: jye