topic Radius access for MGT conflict radius for user access. in General Topics https://live.paloaltonetworks.com/t5/general-topics/radius-access-for-mgt-conflict-radius-for-user-access/m-p/40477#M29720 <HTML><HEAD></HEAD><BODY><P>Dear,</P><P></P><P>we use radius profiles for internal users towards a customer internal network policy server and so. The administration of the palo firewall is done via the MGT interface on a dedicted pvlan based administration network. We want to enable radius authentication for administrator purposes , but this seems to be impossible due to the fact that the service routing for radius&nbsp; (the interface selected is is the L3 interface of the customer zone ) is occupied. The radius requests for the MGT is also send via this way, wrong off course, it should come via the administration network towards another ( cisco ACS) server. Can this be done ? Seems it is impossible to make sure the MGT uses the MGT network interface apart from the customer zones.</P><P>Specific routings towards the ACS system in this service config pages seem to work, but the source ipaddress from the request is not the one from the MGT interface but from a L3 interface on the fw. speificied for the customer.</P><P></P><P>Can this be solved somehow ?</P></BODY></HTML> Wed, 12 Dec 2012 13:15:15 GMT gejack 2012-12-12T13:15:15Z Radius access for MGT conflict radius for user access. https://live.paloaltonetworks.com/t5/general-topics/radius-access-for-mgt-conflict-radius-for-user-access/m-p/40477#M29720 <HTML><HEAD></HEAD><BODY><P>Dear,</P><P></P><P>we use radius profiles for internal users towards a customer internal network policy server and so. The administration of the palo firewall is done via the MGT interface on a dedicted pvlan based administration network. We want to enable radius authentication for administrator purposes , but this seems to be impossible due to the fact that the service routing for radius&nbsp; (the interface selected is is the L3 interface of the customer zone ) is occupied. The radius requests for the MGT is also send via this way, wrong off course, it should come via the administration network towards another ( cisco ACS) server. Can this be done ? Seems it is impossible to make sure the MGT uses the MGT network interface apart from the customer zones.</P><P>Specific routings towards the ACS system in this service config pages seem to work, but the source ipaddress from the request is not the one from the MGT interface but from a L3 interface on the fw. speificied for the customer.</P><P></P><P>Can this be solved somehow ?</P></BODY></HTML> Wed, 12 Dec 2012 13:15:15 GMT https://live.paloaltonetworks.com/t5/general-topics/radius-access-for-mgt-conflict-radius-for-user-access/m-p/40477#M29720 gejack 2012-12-12T13:15:15Z Re: Radius access for MGT conflict radius for user access. https://live.paloaltonetworks.com/t5/general-topics/radius-access-for-mgt-conflict-radius-for-user-access/m-p/40478#M29721 <HTML><HEAD></HEAD><BODY><P>Hi...You can try this.&nbsp; Define 2 Radius servers/profiles, 1 for users and 1 for admin, where each server has a difference IP address.&nbsp; Then point the service route to 1 Radius server using mgt port, and use the destination option on the right to source from the 2nd interface to the 2nd Radius server.</P><P></P><P>Thanks.</P></BODY></HTML> Wed, 12 Dec 2012 15:47:41 GMT https://live.paloaltonetworks.com/t5/general-topics/radius-access-for-mgt-conflict-radius-for-user-access/m-p/40478#M29721 rmonvon 2012-12-12T15:47:41Z