RADIUS (not Active Directory) and Allow List

Reply
Highlighted
L0 Member

RADIUS (not Active Directory) and Allow List

Hi, I'm configuring a RADIUS different than Active Directory, I use Radius users for SSL-VPN and GUI and all works fine but always I've to add manually the Radius user to Allow List in Authentication Profile, is there any way to avoid this. If I've to add users in Palo ALto then I don't need Radius.

Thank you in advance

Samuel

Tags (1)
rps
L3 Networker

Re: RADIUS (not Active Directory) and Allow List

Isnt it possible to select "known-user" as with source user and policies?

L4 Transporter

Re: RADIUS (not Active Directory) and Allow List

Hello A.Cardaso,

You will always need to add the users to the allow list in the authentication profile if you are not going to user the local database. The authentication profile defines what users/groups will be allowed to connect over the VPN and how they will be authenticated.

You mentioned the following:

If I've to add users in Palo ALto then I don't need Radius.

When you add users to the allow list, these are actually users that are already in active directory. Those users' credentials still need to be submitted to the radius server for verification. That is the significant difference between using local data base and radius.

Currently there isn't a mechanism on the Paloalto device to automatically add all of the AD users to the all list in the ssl vpn authentication profile.

thanks

L1 Bithead

Re: RADIUS (not Active Directory) and Allow List

Hi Samuel,

Can you try adding the magic word "all" (without the double quotes) in your Authentication Profile -> Edit Allow List -> Additional Users : "all"

It should work if you run 3.1.x, and hit commit.

Arnaud.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!