How to Configure Basic RADIUS Authentication
17645
Created On 01/16/20 04:15 AM - Last Modified 01/17/20 00:41 AM
Objective
This document describes how to configure RADIUS authentication profile using PAP or CHAP.
Environment
- PAN-OS 8.0 and above.
- Palo Alto Firewall.
Procedure
- Ensure the management IP of the Firewall is configured on the RADIUS server as a client.
- Add the above radius server on Firewall using GUI: Device > Server Profiles > RADIUS. Configure the name, IP address secret and port used. Note that the authentication profile used is PAP or CHAP.
- Next, configure the authentication profile to use this server using GUI: Device > Authentication Profile > Add. Select the "Type" as Radius and in the "Server Profile" section select the RADIUS server profile created in step 1 above. Username modifier info below.
- If the source sends the user information in domain\username format, the firewall sends the user information to the server in the same format.
- If the source sends the user information in username@domain format, the firewall normalizes the user information to the domain\username format before sending it to the server.
- If the source sends only the username, the firewall adds the User Domain you specify before sending the information to the server in domain\username format.
- Click on the "Advanced" tab and select the users to be added to the allowed list. The "Factors" tab is untouched and is used in the case of Multi- Factor Authentication.
- Click on OK and Commit the configuration.