Radius Authentication Failing with FQDN in Server Profile

Radius Authentication Failing with FQDN in Server Profile

7220
Created On 04/25/20 00:28 AM - Last Modified 04/28/20 17:36 PM


Symptom


Radius authentication failing with FQDN specified in server profile, works after "commit force" or when IP address is specified.

Cause


In PAN-OS 8.1 and earlier, when FQDN is specified for the radius server IP, the actual resolution only happens during "autocommit" (usually system boot) or "commit force."

Resolution


Since the resolution does not happen "on the fly" nor during normal "commit," various situations may lead to unexpected failures to reach the server, such as:
  • DNS resolution failed during the system bootup, and the system doesn't subsequently resolve IP until "commit force"
  • Radius server was re-addressed and DNS was properly updated, but system uses the OLD IP until "commit force"
For PAN-OS 8.1, static IP is often used to avoid this limitation. However, PAN-OS 9.0 introduced an enhancement that leverages DNS Proxy logic for better FQDN resolution in Radius server profiles.

Additional Information



For more information, please review the following:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/dns/use-case-2-isp-tenant-uses-dns-proxy-to-handle-dns-resolution-for-security-policies-reporting-and-services-withi.html#
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kcsArticleDetail?id=kA10g000000PPoJ&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkcsArticleDetail

Choose Language