topic Re: Captive Portal with Radius and groups of users in General Topics

Captive Portal with Radius and groups of users

_slv_ — Tue, 02 Dec 2014 14:22:30 GMT

Hello

I'd like to consult with You one problem. My users authenticate with Radius on Captive Portal web page.

Problem that comes to me is how to assign access according to groups of users. My FreeRadius has only one group of users, I can add more but how to use it in PAN?

I read How to Configure RADIUS Authentication and there is "Retrieve user groups" checkbox but after I enabled it and do commit I cant see my groups in ADD in Authenticate Profile tab.

I know that I should use RADIUS Vendor Specific Attributes (VSA)

PaloAlto-User-Group: Attribute #5 - This is the name of the group to be used in the Authentication Profile

Do You know how to configure FreeRadius to use it? Please point me in right direction with this problem.

Regards

SLawek

Re: Captive Portal with Radius and groups of users

_slv_ — Thu, 04 Dec 2014 15:23:03 GMT

bump

No one is using RAdius auth with groups pulling ?

Regards

SLawek

Re: Captive Portal with Radius and groups of users

Wenar — Thu, 04 Dec 2014 16:42:36 GMT

Hi,

from my understanding the option Retrieve user groups doesn't retrieve the groups and lists them on any tab. It's just so it will ask the radius server for the VSA #5 like you already linked. The Radius server will send the attribute back and has to match the "user" (groupname in auth profile)

I never worked with FreeRadius but you could follow this guide Adding vendor-specific RADIUS attributes (BlueCoat ProxySG) | David Vassallo's Blog and change everything to the Palo Alto attributes

There is no guaranty that this will work. I hope this helps a bit.

Re: Captive Portal with Radius and groups of users

_slv_ — Mon, 08 Dec 2014 08:55:44 GMT

I sow it before I posted this question.

At the moment I have one problem, and I cant find answer: Is is possible to use in security policies groups from Radius?

According to my knoweladge is it possible to limit authenticating to group defined in authentificate profile, but what next?

Regards

Slawek

Re: Captive Portal with Radius and groups of users

Wenar — Mon, 08 Dec 2014 09:15:32 GMT

Hi,

in my tests it didn't work to use radius groups in security rules. I think the device only looks up the groups for the user if they try to authenticate. After that the groups of the user are unknown. I didn't get an official answer from palo alto for this problem but I never had the request to use radius groups in policies.

Re: Captive Portal with Radius and groups of users

_slv_ — Mon, 08 Dec 2014 10:35:35 GMT

so I wil lask my SE for confirmation, but this isnt a good news for me

Thank You

Regards

Slawek

Re: Captive Portal with Radius and groups of users

reseau.dtsi — Thu, 15 Dec 2016 22:39:01 GMT

Hi,

Did you had confirmation about this ?

I trying to accomplish exactly the same thing but on globalprotect, and my group never match.

2016-12-16 09:27:36.550 +1100 debug: pan_process_radius_auth(pan_authd.c:1115): Found radius group VPN_1 for user OCEAN\michel
2016-12-16 09:27:36.550 +1100 authentication succeeded for user <vsys1,FreeRadius,OCEAN\michel>
2016-12-16 09:27:36.551 +1100 authentication succeeded for remote user <OCEAN\michel(orig:michel)>
2016-12-16 09:27:36.551 +1100 debug: pan_authd_process_authresult(pan_authd.c:1353): pan_authd_process_authresult: OCEAN\michel authresult auth'ed
2016-12-16 09:27:36.551 +1100 Request received to unlock vsys1/VPN_Auth_ALL/OCEAN\michel
2016-12-16 09:27:36.552 +1100 User 'OCEAN\michel' authenticated. Profile FreeRadius in an authentication sequence VPN_Auth_ALL succeeded.  From: 203.147.79.6.

If I use michel account to allow access to globalprotect it works.

If I use radius group "VPN_1" to allow access to globalprotect, nothing happen, even if pan retrieve correctly the name of the group.