topic Re: Global Protect Radius Child Domains in General Topics

Global Protect Radius Child Domains

ddavis1 — Sat, 12 Apr 2014 13:29:48 GMT

Global Protect using Radius works perfect for users in the parent domain. It will not work for users in child domains.

I worked with Palo Support for several hours and they believe the issue is a setting on the Radius server but they do not know what the settings on the Radius server should be for child domains.

Does anyone know how to set the Radius server settings or have a DOC to it?

This is not an issue for my Cisco ASA...

14:45:02.165702 IP 192.168.165.241.54053 > Server.Parent.com.radius: RADIUS, Access Request (1), id: 0x4e length: 64

14:45:02.167058 IP Server.Parent.com..radius > 192.168.165.241.54053: RADIUS, Access Reject (3), id: 0x4e length: 20

Re: Global Protect Radius Child Domains

sjamaluddin — Sat, 12 Apr 2014 22:30:50 GMT

What happens if the user adds the prefix to the username to specify the child domain so that when the request is forwarded from the PAN firewall towards the RADIUS server the request is as follows ChildDomain\username rather than the user just trying to authenticate with the username only?

Re: Global Protect Radius Child Domains

ddavis1 — Mon, 14 Apr 2014 18:27:23 GMT

I was finally able to get the user to authenticate to the web address to download the client by adding the specific path for the child domain users in the PA Authentication Profile and doing the same on the radius server. But it does not work for the global protect client. I would think since it authenticated the user to download the client it would have worked when connecting with global protect.

Yes have to use ChildDomain\UserName

GlobalProtect portal user authentication failed. Login from: 70.210.1.8, User name: TestUser, Reason: Authentication failed: Invalid username or password