06-01-2017 11:26 AM
Has anyone run across issues where Radius server is having difficulty in identifying if it's a management login vs GP portal login.
We are having a hard time to identify the difference, when we use Clear pass as our radius server.
Little Background:
A user(valid admin) uses his creds to login to the GUI. PA uses its mgmt interface to send creds, to validate with Radius(clearpass in our case).
A user(regular user not admin) uses his creds to log in to GP portal(not GP client- GP client works fine as it sends different Radius -VSattr. in the request). PA again uses the mgmt interface.
Radius server in the backend has difficulties in identifying difference between (1) and (2). Any one had seen this.?
06-01-2017 12:47 PM
I would recommend using different credentials for your admin login. In this case it would be easy to distinguish between a normal and an admin user.
The other possibility you have is using different authentication profiles with the same radius server profiles attached to it. Paloalto devices send the authentication profile name as an attribute in the radius request, which you could use in different radius authentication rules to itentify which login comes from GP and which one from an admin login.
06-01-2017 12:47 PM
I would recommend using different credentials for your admin login. In this case it would be easy to distinguish between a normal and an admin user.
The other possibility you have is using different authentication profiles with the same radius server profiles attached to it. Paloalto devices send the authentication profile name as an attribute in the radius request, which you could use in different radius authentication rules to itentify which login comes from GP and which one from an admin login.
06-02-2017 10:09 AM
Thank you for the reply.
I tried adding same radius servers as a part of different authentication profile. It didnt work.
I cannot have same radius servers in different auth-profiles.
Still reasearching on how to configure this right.
06-02-2017 10:19 AM
What PAN-OS version do you use?
Because I have done exactly this: same RADIUS server profile in different authentication profiles so on the RADIUS server we are able to identify to which user directory the request has to be forwarded.
I have configured this on panorama running 8.0.2.
06-02-2017 12:06 PM
I am using 7.1.6.
I have tried what you have mentioned below, but in my case I dont see it in the dropdown.
One other thing is we dont have a definitive group of people in the Radius users group, In other words, it is "all"
Hope I made sense.
06-02-2017 12:15 PM
What item does not show up and in which dropdown?
May be you could share screenshots?
06-02-2017 12:42 PM
Now I Understood it correctly. I was always focusing on the Radius tab, but I should have to configure in the authentication profile tab as two different profiles.
I tested and it worked. Thanks for the idea and your time.
Appreciate your replies.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
