Can I use Radius Accounting or Diameter as source of rules in ISP network?

Reply
Not applicable

Can I use Radius Accounting or Diameter as source of rules in ISP network?

Hi,

I want to install the PA in my ISP net as transparent bridge, I'm looking for a way to configure the machine to get an IP address & then translate it via Radius acounting / diameter protocol to the user info.

Do you know how it can be done?

How is it installed in other ISP's?

Tal

Tags (3)
L4 Transporter

Re: Can I use Radius Accounting or Diameter as source of rules in ISP network?

It sounds like you are trying to use the "user Identification" feature to associate the  User name with the IP. Normally we deploy in a corporate environment where everybody log into a Microsoft AD server. Our agent queries the security log and maps the username to the IP based on the log entry. Is your RADIUS server Microsoft?    The agent does have an API  that can be used for injecting user/IP info into the agent. I do not know how well this will work in your environment.

The Paloalto can be deployed in L2 mode like a switc/bridge or you can use VWIRE.  VWIRE is limited to 2 ethernet ports. Anything hat enters on port 1 is forced out port 2. VWire does not have a MAC address or an IP address. It can not do NAT or tunnel termination. You would have to use a third interface and connect it to the same switch as the VWIRE to provide these services. Since the VWIRE has no MAC of its own, if we send a TCP reset,we spoof the source MAC so it becomes difficult to track down the source with a sniffer.

You need to check interface counters to confirm we sent the RST.

Steve Krall

Highlighted
Not applicable

Re: Can I use Radius Accounting or Diameter as source of rules in ISP network?

Hello,

My enviorment is an ISP, the project is "Clean Pipe". the users are coming from their devices & surf into the web, I need to catch them on the way (in L2 mode) & based on thier profile in the radius (not AD / Microsoft) provide them services like AV, URL Filtering & Mail Relay.

tal

L5 Sessionator

Re: Can I use Radius Accounting or Diameter as source of rules in ISP network?

Currently PAN-OS can provide user-identification service using AD, terminal server, or captive portal. We do not have the option to map the user IP based on Radius assigned IP address. If not using AD then captive portal may be your best option at this time as you can at least authenticate your users based on Radius when they hit the Captive Portal redirect page.

If you require user id methods other than what is mentioned above, I would suggest to speak to your Palo Alto Sales Rep or SE to inquire about roadmap and new feature requests.

-Richard

L4 Transporter

Re: Can I use Radius Accounting or Diameter as source of rules in ISP network?

You might explore using the UserID XML API to map RADIUS users to IP addresses:

https://live.paloaltonetworks.com/docs/DOC-1348

You would still need to use LDAP or AD to get user to group mappings.

Cheers,

Kelly

L4 Transporter

Re: Can I use Radius Accounting or Diameter as source of rules in ISP network?

Hi, Richard,

Excuse me but I just have a question and this discusstion is similer.

Is there any roadmap or feature request you know now ? As the PAN-OS is revised to PAN-OS 5.0, I never see it in RADIUS server profile, so I just want to know if there any update till now.

Thanks,

Sample Wu

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!