How to Configure Azure SAML for Admin UI Access and RADIUS for CLI Authentication on Palo Alto Networks Firewall or Panorama
Objective
This guide provides instructions for configuring SAML authentication for Admin UI access and RADIUS authentication for CLI access on a Palo Alto Networks firewall. The goal is to enable secure, centralized authentication by integrating with external identity providers and authentication servers.
Environment
- Palo Alto Networks Firewall and Panorama
- Azure SAML IDP
- RADIUS Server
- Authentication Settings
Procedure
Part 1: Configure Azure SAML Authentication for Admin UI
Detailed steps and screenshots are provided in the knowledge base article How to Configure Azure SAML Authentication for Admin UI.
Step 1: Apply SAML Authentication to Admin UI
1. For Firewall, Navigate to Device >Setup > Management> Authentication Settings
2. Click Edit, then set: Authentication Profile > Select SAML auth profile from the list
3. For Panorama, Navigate to Panorama > Setup > Management > Authentication Settings
4. Click Edit, then set: Authentication Profile > Select SAML auth profile from the list
5. Click OK, then Commit the changes.
5. Now, SAML authentication is enabled for the Admin UI.
Part 2: Configure RADIUS Authentication for CLI Access:
Detailed steps and screenshots are provided in the knowledge base article Configuring Administrator Authentication with Windows 2008 RADIUS Server (NPS/IAS)
Step 1: Apply RADIUS Authentication to CLI Access
1. For Firewall, Navigate to Device > Setup > Management > Authentication Settings
2. Click Edit, then set: Authentication Profile > Select RADIUS auth profile from the drop-down list
3. For Panorama, Navigate to Panorama >Setup > Management > Authentication Settings
4. Click Edit, then set: Authentication Profile > Select the RADIUS auth profile from the list
5. Click OK, then Commit the changes.
Now, RADIUS authentication is configured for CLI access.
Testing Authentication:
Admin UI (SAML Login)
1. Open a browser and go to https://<firewall-IP>
2. Click SAML Login → You should be redirected to your IdP for authentication.
CLI (RADIUS Login)
1. Open an SSH session to the firewall.
2. Enter your RADIUS username and password.
3. Authentication should be validated via the RADIUS server.
Additional Information
Note: Some lines of the logs below are removed for brevity.
SAML authentication flow observed in authd.log
debug: pan_auth_request_process(pan_auth_state_engine.c:3618): Receive request: msg type PAN_AUTH_REQ_SAML_PARSE_SSO_RESPONSE, conv id 6, body length 9781
debug: _extract_sso_attribute(pan_authd_saml_internal.c:551): Got attr name (admin role) "adminrole" ; value "panadmin";
debug: pan_auth_saml_resp_process(pan_auth_state_engine.c:5613): Check allow list status for user1@domain.com (Azure-SSO-Admin-UI/)
debug: _create_admin_acct_if_needed(pan_auth_state_engine.c:238): local admin acct for remote user 'user1@domain.com' exists
debug: _create_admin_acct_if_needed(pan_auth_state_engine.c:241): user "user1@domain.com" home dir entry: "/opt/pancfg/home/user1@domain.com" does not exist
debug: pan_auth_mgr_get_usernameonly(pan_auth_mgr.c:374): strict_name_check=no, username=user1@domain.com, usernameonly=user1
debug: _log_saml_respone(pan_auth_server.c:716): Sent PAN_AUTH_SUCCESS SAML response:(authd_id: 7468813209936332638) (return username 'user1@domain.com') (auth profile 'Azure-SSO-Admin-UI') (NameID 'user1@domain.com') (SessionIndex '_34147923-9eac-41e9-9243-9bf24c863a00') (Single Logout enabled? 'No') (Is it CAS (cloud-auth-service)? 'No')
debug: pan_db_funcs_request_process(pan_auth_state_engine.c:1632): init'ing group request (authorization)
debug: pan_authd_handle_group_req(pan_auth_state_engine.c:1473): start to authorize user "user1@domain.com"
debug: pan_auth_mgr_get_usernameonly(pan_auth_mgr.c:374): strict_name_check=no, username=user1@domain.com, usernameonly=user1
debug: pan_auth_mgr_get_userinfo(pan_auth_mgr.c:2296): Found userinfo (name/role/ado) cache entry: user1/panadmin/adomain
debug: pan_authd_handle_group_req(pan_auth_state_engine.c:1582): Sent authorization response for user "user1@domain.com": role/domain="panadmin/"; expiring_in_days=-1; rem_grace_period=-1, rem_login_count=-1
debug: pan_authd_show_user_auth_stat_internal(pan_auth_ops.c:1251): Got admin user "user1@domain.com" last successful login time: 02/10/2025 08:27:13 ; number of failed attempts since last successful login: 2
debug: pan_authd_opcmd_handler(pan_auth_ops.c:1316): Return: "<last-successful-login-time>02/10/2025 08:27:13</last-successful-login-time><failed-attempts-since-last-successful-login>2</failed-attempts-since-last-successful-login>"
RADIUS authentication flow observed in authd.log
debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1895): Authenticating user "user1" with <profile: "RADIUS", vsys: "shared">
debug: pan_authd_radius_create_req_payload(pan_authd_radius.c:236): username: user1
debug: pan_make_radius_request_buf(pan_authd_radius_prot.c:438): RADIUS request type: PAP
debug: pan_authd_radius_parse_resp_payload(pan_authd_radius.c:284): resp_code = RAD_ACCESS_ACCEPT
debug: pan_authd_radius_parse_resp_payload(pan_authd_radius.c:301): admin role = panadmin
debug: pan_auth_service_recv_response(pan_auth_service_handle.c:1745): Got response for user: "user1"
debug: pan_auth_response_process(pan_auth_state_engine.c:4558): auth status: auth success
debug: _create_admin_acct_if_needed(pan_auth_state_engine.c:238): local admin acct for remote user 'user1' exists
debug: pan_auth_response_process(pan_auth_state_engine.c:4579): Authentication success: <profile: "RADIUS", vsys: "shared", username "user1">
debug: pan_auth_send_auth_resp(pan_auth_server.c:889): Succeed to cache role/adomain panadmin/adomain for user user1
debug: pan_db_funcs_request_process(pan_auth_state_engine.c:1632): init'ing group request (authorization)
debug: pan_authd_handle_group_req(pan_auth_state_engine.c:1473): start to authorize user "user1"
debug: pan_auth_mgr_get_userinfo(pan_auth_mgr.c:2296): Found userinfo (name/role/ado) cache entry: user1/panadmin/adomain
debug: pan_auth_mgr_get_userinfo(pan_auth_mgr.c:2304): Purged userinfo (name/role/ado) cache entry: user1/panadmin/adomain after being stale > 3600 secs
debug: pan_authd_handle_group_req(pan_auth_state_engine.c:1582): Sent authorization response for user "user1": role/domain="panadmin/adomain"; expiring_in_days=-1; rem_grace_period=-1, rem_login_count=-1