I'm using freeradius as the radius server and trying to connect it with a PA-500. (I tried to access the freeradius setup document at https://live.paloaltonetworks.com/docs/DOC-1238 but I am apparently unauthorized - do you know what level of support you need to access it?)
When I try to access a website that requires captive portal, the authentication page appears but I am unable to authenticate my username/password. The radius server is also not seeing the authentication request, so I suspect this is a network connectivity issue.
The radius server is located in a zone that has access to the "outside" web server and the "inside" host has access to the radius server "zone".
All of my ports are configured to be Layer 3.
I'm having a lot of difficulty because I'm lacking visibility on exactly what is happening... is there a way to verify that my radius server is indeed communicating with the PA-500?
It seems like we may need to modify the rights to the FreeRadius document as I'm unable to view it as well. Have you looked in the System Log within the Monitor tab on the PAN device? Are you utilizing a PAN-Agent for user identification in your setup? Did you confirm that the correct IP address is configured on the Radius server and client configuration? Did you confirm the shared key is correct, meaning, it wasn't copied and pasted on the 'Secret Field?'
What's the output from tailing the authd.log?
pan500>tail mp-log authd.log
I've been seeing captive portal authentication failures in the System Log in the Monitor tab. It doesn't really document what kind of failure it is, but I suspect it is a timeout or radius server failure because my radius server running in debug mode is not logging any authentication requests.
I am not using a PAN-Agent, assuming that's the agent that gets downloaded to the captive "host". I would like to try to have captive portal working without the user agent as acquiring a lot of agents (other VPNs, etc.) on a host can cause conflicts.
I was also wondering about the IP address of the radius client to configure in freeradius. I am not using the radius server to authentication management access, so the management IP would not apply. I've place the management interface within the "inside" zone.
The freeradius server is in the "dmz" zone (a Layer 3 port) which is accessible both to the "inside" and "outside" zone.
Would the ip of the radius client (PA-500) be the firewall port IP? Like the Layer 3 port, ie. 192.168.1.1?
The shared key (secret) was confirmed, manually typed into the Secret Field.
The authd.log is not applicable in my case right? I assumed that is only for the management port. I would use "tail mp-log captive_portal.log"
btw, having two radius server configurations in two different places for two different types of authentications (management and user) is really confusing (I got really confused at first).
The output log looks like this at one point :
admin@PA-500> tail follow yes mp-log captive_portal.log
Jan 06 16:18:18 Error: pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:99): sync modify <sw.mgmt.runtime.clients.captive_portal.register> failed: NO_MATCHES
Jan 06 16:18:18 cfgagent register failed in try 1/5. sleeping for 5 seconds...
Jan 06 16:18:23 Error: pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:99): sync modify <sw.mgmt.runtime.clients.captive_portal.register> failed: NO_MATCHES
Jan 06 16:18:23 cfgagent register failed in try 2/5. sleeping for 5 seconds...
Jan 06 16:18:28 Error: pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:99): sync modify <sw.mgmt.runtime.clients.captive_portal.register> failed: NO_MATCHES
Jan 06 16:18:28 cfgagent register failed in try 3/5. sleeping for 5 seconds...
Jan 06 16:18:33 Error: pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:99): sync modify <sw.mgmt.runtime.clients.captive_portal.register> failed: NO_MATCHES
Jan 06 16:18:33 cfgagent register failed in try 4/5. sleeping for 5 seconds...
Jan 06 16:18:38 Error: pan_cfgagent_write_sysd_boolean_sync(pan_cfgagent.c:99): sync modify <sw.mgmt.runtime.clients.captive_portal.register> failed: NO_MATCHES
Jan 06 16:18:38 Error: pan_cfgagent_enable(pan_cfgagent.c:734): failed to register config agent with management server
First and foremost, I've attached the freeradius doc for use in your setup. Also, we might need to do a gotomeeting session so I can take a close look at all the parameters and nuances of your setup. What's your availability?
I just got back into the office today. I've been working in the lab where I had a few machines hooked up to the PA-500, in an isolated environment without internet access.
I started the upgrade process on Friday to update the PAN-OS since we're still running 3.0 . I don't know if it would solve anything, but I'd like to do that before continuing troubleshooting.
What do you need from me for a gotomeeting?
The PA-500 has been upgraded to PAN-OS 3.1.6 .
I don't see the captive_portal.log anymore under #tail mp-log
I get the following errors in authd.log (does that cover both captive portal and admin?):
admin@PA-500> tail mp-log authd.log
Jan 11 16:06:32 User 'pek' failed authentication. Reason: Invalid username/password From: 10.1.0.2.
Jan 11 16:06:32 pan_authd_send_auth_resp(pan_authd.c:1775): pan_authd_send_auth_resp
Jan 11 16:06:32 pan_authd_send_auth_resp(pan_authd.c:1793): Sent the response to client
Jan 11 16:07:41 pan_authd_loop(pan_authd.c:2101): Got a msg to authd
Jan 11 16:07:41 pan_authd_loop(pan_authd.c:2111): recv'ed 1068 bytes from 127.0.0.1
Jan 11 16:07:41 pan_authd_service_req(pan_authd.c:1936): pan_authd_service_req()
Jan 11 16:07:41 pan_authd_service_req(pan_authd.c:1954): Authd:get group request
Jan 11 16:07:41 pan_authd_handle_group_req(pan_authd.c:1905): Got user role/adomain / for user admin
Jan 11 16:07:41 pan_authd_handle_group_req(pan_authd.c:1918): Sending group response msg type 3, conv id 1, to 127.0.0.1 : 38525
Jan 11 16:07:41 pan_authd_handle_group_req(pan_authd.c:1923): Sent the auth group response to client
The above log does not look like captive portal problems. On the GUI, under Monitor > System, I see two related error messages:
|01/11 16:06:34||general||informational||general||Captive portal authentication failed for user: pek on 10.1.0.2, vsys1|
|01/11 16:06:32||general||informational||auth-fail||User 'pek' failed authentication. Reason: Invalid username/password From: 10.1.0.2.|
I've simplified my network configuration to be a star network (essentially flat where the the Palo Alto is in the middle doing routing between devices) and all active interfaces are in one zone.
I'm still stuck trying to figure out why the radius server is not receiving authentication requests from the palo alto.
Thanks for all of the information. At this point I would suggest opening a case with your support provider so that a live troubleshooting session can take place.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!