https://live.paloaltonetworks.com/t5/globalprotect-discussions/radius-auth-via-management/m-p/594509#M5653 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/31972">@tcsmithh</a> ,</P> <P>In the service routes config you can specify source interface per service, or per destinantion.</P> <P>If you define source interface for RADIUS service, this will force the firewall to use the same interface for every RADIUS server you define.</P> <P>Specifying source interface per destination allow you to have different RADIUS servers reachable from different interfaces/VRs</P> Fri, 09 Aug 2024 15:42:33 GMT aleksandar.astardzhiev 2024-08-09T15:42:33Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/radius-auth-via-management/m-p/594146#M5635 <P>Greetings,</P> <P>i have a GP portal and Gateway configured for radius auth in vr2 with just connected and a default route. vr1 has the routes to the radius server. my question is, can i send the auth requests via the management port?</P> <P>&nbsp;</P> <P>thanks</P> Tue, 06 Aug 2024 14:25:52 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/radius-auth-via-management/m-p/594146#M5635 tcsmithh 2024-08-06T14:25:52Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/radius-auth-via-management/m-p/594181#M5639 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/31972">@tcsmithh</a>,</P> <P>By default Palo Alto firewall will always use the dedicated management interface for services like authentication servers, DNS, NTP etc.</P> <P>When you configure your RADIUS server, firewall will try to reach it over the dedicated management interface. Note that this traffic does not pass over the firewall policy, nor perform route look with any VR (virtual-router), it just uses the management default route.</P> <P>&nbsp;</P> <P>If FW management network does not have access to RADIUS server you can tell the firewall to use one of the dateplane interface, by changing the relevant service route - <A href="https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/service-routes/service-routes-overview" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/service-routes/service-routes-overview</A></P> <P>With service routes you basically tell the firewall which dataplane interface to use as source interface. After that the traffic will perform route lookup - against the VR associated with source interface - to determine the next hop.Traffic will also pass over the security policy, so if your policy is very restrictive you need to make sure it is allowed</P> Tue, 06 Aug 2024 19:39:08 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/radius-auth-via-management/m-p/594181#M5639 aleksandar.astardzhiev 2024-08-06T19:39:08Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/radius-auth-via-management/m-p/594506#M5651 <P>thank you very much, i was certain that was the case, but wanted verification....unless i do custom routing.... thanks again</P> Fri, 09 Aug 2024 14:16:35 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/radius-auth-via-management/m-p/594506#M5651 tcsmithh 2024-08-09T14:16:35Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/radius-auth-via-management/m-p/594509#M5653 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/31972">@tcsmithh</a> ,</P> <P>In the service routes config you can specify source interface per service, or per destinantion.</P> <P>If you define source interface for RADIUS service, this will force the firewall to use the same interface for every RADIUS server you define.</P> <P>Specifying source interface per destination allow you to have different RADIUS servers reachable from different interfaces/VRs</P> Fri, 09 Aug 2024 15:42:33 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/radius-auth-via-management/m-p/594509#M5653 aleksandar.astardzhiev 2024-08-09T15:42:33Z