Authentication Policy Cisco ASA to Palo Migration

cancel
Showing results for 
Search instead for 
Did you mean: 

Authentication Policy Cisco ASA to Palo Migration

L1 Bithead

Hi All, 

 

I'm just looking for some help in migrating an authentication policy for my customer. I have tried to do this in expedition but I'm not sure it works. The Cisco ASA config I am trying to migrate is decribed below:

/

aaa-server RadiusProfile protocol radius
aaa-server RadiusProfile (Inside) host 192.168.1.1
key MySecret

aaa authentication match AuthPolicy Inside RadiusProfile

/

access-list AuthPolicy line 1 extended permit ip 172.16.0.0 255.255.0.0 any4

 

I have tried creating an Authentication Profile on the Palo with a subsequent Authentication Enforcement Object. That is directly referenced in the Authentication policy which follows the asa access-list (permit zone Inside source address 172.16.0.0/16 to any destination) but I do not believe it is working. 

 

When I attempt to test it, the authentication policy has no hits on it. 

 

Looking for some help please if any of you have knowlege of this area. 

 

Best Regards

3 REPLIES 3

L4 Transporter

Hi @yaz3636 

 

Please  refer below article on how to configure authentication policy in Palo Alto Networks 

 

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/policies/policies-authenticat...

Hi @lychiang 

 

Yes I have followed these steps in the link you sent. 

Server Profile >

Auth Profile > (referencing Server Profile)

Authentication Object > (Referencing Auth Profile)

Authentication Policy > (referencing the Auth Object) 

 

I am still unable to get a hit on the authentication, I have used service any as a catch all, tested with SSH and Pings and still unable to get a hit. 

 

Regards

As I know this works on web traffic only . You might want to test with web traffic , if there is any questions , please open a TAC case. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!