https://live.paloaltonetworks.com/t5/general-topics/radius-not-active-directory-and-allow-list/m-p/9659#M7077 <HTML><HEAD></HEAD><BODY><P>Hello A.Cardaso,</P><P>You will always need to add the users to the allow list in the authentication profile if you are not going to user the local database. The authentication profile defines what users/groups will be allowed to connect over the VPN and how they will be authenticated.</P><P></P><P>You mentioned the following:</P><P>If I've to add users in Palo ALto then I don't need Radius.</P><P></P><P>When you add users to the allow list, these are actually users that are already in active directory. Those users' credentials still need to be submitted to the radius server for verification. That is the significant difference between using local data base and radius.</P><P>Currently there isn't a mechanism on the Paloalto device to automatically add all of the AD users to the all list in the ssl vpn authentication profile.</P><P></P><P></P><P>thanks</P></BODY></HTML> Tue, 09 Mar 2010 19:17:37 GMT swhyte 2010-03-09T19:17:37Z https://live.paloaltonetworks.com/t5/general-topics/radius-not-active-directory-and-allow-list/m-p/9657#M7075 <HTML><HEAD></HEAD><BODY><P>Hi, I'm configuring a RADIUS different than Active Directory, I use Radius users for SSL-VPN and GUI and all works fine but always I've to add manually the Radius user to Allow List in Authentication Profile, is there any way to avoid this. If I've to add users in Palo ALto then I don't need Radius.</P><P>Thank you in advance</P><P>Samuel</P></BODY></HTML> Tue, 09 Mar 2010 17:40:27 GMT https://live.paloaltonetworks.com/t5/general-topics/radius-not-active-directory-and-allow-list/m-p/9657#M7075 a.cadarso 2010-03-09T17:40:27Z https://live.paloaltonetworks.com/t5/general-topics/radius-not-active-directory-and-allow-list/m-p/9658#M7076 <HTML><HEAD></HEAD><BODY><P>Isnt it possible to select "known-user" as with source user and policies?</P></BODY></HTML> Tue, 09 Mar 2010 18:24:46 GMT https://live.paloaltonetworks.com/t5/general-topics/radius-not-active-directory-and-allow-list/m-p/9658#M7076 rps 2010-03-09T18:24:46Z https://live.paloaltonetworks.com/t5/general-topics/radius-not-active-directory-and-allow-list/m-p/9659#M7077 <HTML><HEAD></HEAD><BODY><P>Hello A.Cardaso,</P><P>You will always need to add the users to the allow list in the authentication profile if you are not going to user the local database. The authentication profile defines what users/groups will be allowed to connect over the VPN and how they will be authenticated.</P><P></P><P>You mentioned the following:</P><P>If I've to add users in Palo ALto then I don't need Radius.</P><P></P><P>When you add users to the allow list, these are actually users that are already in active directory. Those users' credentials still need to be submitted to the radius server for verification. That is the significant difference between using local data base and radius.</P><P>Currently there isn't a mechanism on the Paloalto device to automatically add all of the AD users to the all list in the ssl vpn authentication profile.</P><P></P><P></P><P>thanks</P></BODY></HTML> Tue, 09 Mar 2010 19:17:37 GMT https://live.paloaltonetworks.com/t5/general-topics/radius-not-active-directory-and-allow-list/m-p/9659#M7077 swhyte 2010-03-09T19:17:37Z https://live.paloaltonetworks.com/t5/general-topics/radius-not-active-directory-and-allow-list/m-p/9660#M7078 <HTML><HEAD></HEAD><BODY><P>Hi Samuel,</P><P></P><P>Can you try adding the magic word "all" (without the double quotes) in your Authentication Profile -&gt; Edit Allow List -&gt; Additional Users : "all"</P><P></P><P>It should work if you run 3.1.x, and hit commit.</P><P></P><P>Arnaud.</P></BODY></HTML> Mon, 31 May 2010 22:21:54 GMT https://live.paloaltonetworks.com/t5/general-topics/radius-not-active-directory-and-allow-list/m-p/9660#M7078 akopp 2010-05-31T22:21:54Z