Hi, I'm configuring a RADIUS different than Active Directory, I use Radius users for SSL-VPN and GUI and all works fine but always I've to add manually the Radius user to Allow List in Authentication Profile, is there any way to avoid this. If I've to add users in Palo ALto then I don't need Radius.
Thank you in advance
You will always need to add the users to the allow list in the authentication profile if you are not going to user the local database. The authentication profile defines what users/groups will be allowed to connect over the VPN and how they will be authenticated.
You mentioned the following:
If I've to add users in Palo ALto then I don't need Radius.
When you add users to the allow list, these are actually users that are already in active directory. Those users' credentials still need to be submitted to the radius server for verification. That is the significant difference between using local data base and radius.
Currently there isn't a mechanism on the Paloalto device to automatically add all of the AD users to the all list in the ssl vpn authentication profile.
Can you try adding the magic word "all" (without the double quotes) in your Authentication Profile -> Edit Allow List -> Additional Users : "all"
It should work if you run 3.1.x, and hit commit.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!