topic Re: group-based policies for RADIUS authenticated users. in General Topics

group-based policies for RADIUS authenticated users.

Carracido — Thu, 16 Dec 2021 15:31:40 GMT

Dear community,

For users who authenticate via RADIUS on Active Directory, is there any possibility to fetch the groups for those RADIUS users so that group-based policies can be created in the firewall?

Thank you!

Re: group-based policies for RADIUS authenticated users.

OtakarKlier — Thu, 16 Dec 2021 22:13:46 GMT

Hello,

I think this might be what you are looking for:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POFXCA4

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CluUCAS

Regards,

Re: group-based policies for RADIUS authenticated users.

Carracido — Thu, 30 Dec 2021 09:54:13 GMT

Hi @OtakarKlier ,

Many thanks for your answer.

What I´m trying to do is to retrieve the group membership for RADIUS authenticated users in the AD. So that I can use the groups in the policies.

I´m trying to do a group mapping in some way like you do through LDAP.

Is this possible?

Thank you in advance!

Re: group-based policies for RADIUS authenticated users.

OtakarKlier — Thu, 30 Dec 2021 15:43:13 GMT

Hello,

Yes this is possible.

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/authentication/configure-ldap-authentication

Regards,

Re: group-based policies for RADIUS authenticated users.

Alen_Bilich — Mon, 23 Oct 2023 09:01:09 GMT

hi @OtakarKlier This KB is for LDAP and not for Radius like what @Carracido was after. I am also having issues with Radius and retrieving user groups. i have ticket the 'Retrieve user groups' in the auth profile and configure radius with what i believe are the correct VSA's as per https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIxCAK

Unfortunately i still cannot pull any groups up to panorama/firewall. Unfortunately this design cannot utilise LDAP at the moment so my options are limited. Any suggestions?

Re: group-based policies for RADIUS authenticated users.

Raido_Rattameister — Mon, 23 Oct 2023 12:15:38 GMT

You can configure VSA's to use group membership to log into the firewall but Palo don't support using RADIUS groups in security policies.

There is a feature request FR2729 to add that capability.

Ask your Palo SE to add a vote to it.

Re: group-based policies for RADIUS authenticated users.

Alen_Bilich — Mon, 23 Oct 2023 12:19:00 GMT

hi @Raido_Rattameister thanks for the update. in my case, the customer doesnt require security enforcement via policy. At this stage we want to just pull the user groups up from radius and use the im the auth profile and subsequently the client config in GP. If you have any advice, it would be appreciated.

Re: group-based policies for RADIUS authenticated users.

TonyDeHart — Tue, 24 Oct 2023 20:09:19 GMT

I did get this working but it took quite a lot of messing around so as to not break inadvertently what was working. Not sure what the issue is on your end but in my case we did not have the USER DOMAIN field filled in or the RETRIEVE USER GROUP FROM RADIUS options checked. I never went far enough with it to tell if I absolutely needed the domain in there but in my case this was what ultimately did the trick for me.

Also the gateway or wherever the RADIUS group check is being done needs the full distinguished name to work properly.

Re: group-based policies for RADIUS authenticated users.

Alen_Bilich — Wed, 25 Oct 2023 01:01:55 GMT

hi @TonyDeHart thanks for the info. i have configured the user domain and ticked 'retrieve user groups' in the auth profile. i have no issue with authenticating user with radius when 'All' is selected.

VSA's configured on the radius for user group IT as an example.

if anyone has any ideas, let me know.

Re: group-based policies for RADIUS authenticated users.

TonyDeHart — Wed, 25 Oct 2023 12:10:55 GMT

I'm no expert on this, but what I was told when working with Palo support,was that the domain actually doesn't have any impact on the RADIUS authentication itself (in my case it is RSA) and that the domain and group info used is actually using the LDAP groups defined in the authentication profile to determine group membership. Without the domain configured it wasn't determining/matching the groups up with the auth profile and failed the membership check. It was necessary for the groups to be included in the auth profile AND the domains to match.

Sorry it was a detail I'd forgotten until I looked a bit closer.