How to use "Retrieve User Group" feature in RADIUS profile?

Reply
Not applicable

How to use "Retrieve User Group" feature in RADIUS profile?

I would like to use my AD groups in Security rules (along with RADIUS and HTML Captive Portal). So far I managed to use "known users" only, seems due to a lack of Group attribute exchange between PAN and RADIUS (MS IAS 2003).

I found the promising "Retrieve User Group" chekbox in RADIUS authentication profile settings but so far didn't find any reference to it in the Knowledgepoint.

Can anyone point me to a relevant docs, or to share a personal experience?

Sincerely,

Evgeny

Tags (3)
L3 Networker

Re: How to use "Retrieve User Group" feature in RADIUS profile?

In order to use AD groups in security policies you will have to forward the group information from the Pan-agent to the Pan firewall using the Filter Group Members setting on the Pan-Agent gui

Not applicable

Re: How to use "Retrieve User Group" feature in RADIUS profile?

I am not going to use PAN agent (for this network segment), but rather HTTP Captive Portal with RADIUS. My problem is that the only method that worked so far was defining "known user" in security rule and specific AD user group in RADIUS policy that is not what I need (actually I need in a contrary).

Sincerely,

Evgeny

L4 Transporter

Re: How to use "Retrieve User Group" feature in RADIUS profile?

Hi There,

You should configure an LDAP connection to your AD server in order to obtain groups for users that login via Captive Portal - you can use either RADIUS or LDAP to actually auth the users.

This doc may help you:

https://live.paloaltonetworks.com/docs/DOC-1445#comment-1211

Thanks

James

Not applicable

Re: How to use "Retrieve User Group" feature in RADIUS profile?

Thanks, James.

I will try to configure LDAP auth (actually I belive that I would not need RADIUS if LDAP auth in place).

Evgeny

L4 Transporter

Re: How to use "Retrieve User Group" feature in RADIUS profile?

Hi Evgeny,

You are correct - although it is also possible to auth users via RADIUS and get group info from LDAP.  One use case for this is when two factor authentication is required.

Good Luck!

James

L4 Transporter

Re: How to use "Retrieve User Group" feature in RADIUS profile?

I think these comments are missing your original question. There is a RADIUS VSA that you can use to have the RADIUS server pass the group info. It is called PaloAlto-User-Group. If you use this VSA on the RADIUS server, and then check the Retrieve User Group option you mention, the group name specified in the VSA will be checked in the allow list of the auth profile. You can enter the group names manually in the auth profile.

Mike
Highlighted
Not applicable

Re: How to use "Retrieve User Group" feature in RADIUS profile?

Mike: indeed. :-)

Anyway, I am going to test both ways next week (RADIUS User group and LDAP).

Assuming that MS IAS 2003 knows to deal with that PaloAlto-User-Group VSA....

L4 Transporter

Re: How to use "Retrieve User Group" feature in RADIUS profile?

Hi - I believe (from the original question) the groups are required for setting security policy.  If this is true, then you'll need to use LDAP - VSA's are not currently supported for setting security policy rules against them.  If the group information is for Access rights to the device, then  VSA's will work.

Just to try to help you save time :smileyhappy:

Thanks

James

L1 Bithead

Re: How to use "Retrieve User Group" feature in RADIUS profile?

I have found this doc where we are able to authenticate with Radius and the group mapping for the same user can be used in policy with help of LDAP having same names.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!