I want to install the PA in my ISP net as transparent bridge, I'm looking for a way to configure the machine to get an IP address & then translate it via Radius acounting / diameter protocol to the user info.
Do you know how it can be done?
How is it installed in other ISP's?
It sounds like you are trying to use the "user Identification" feature to associate the User name with the IP. Normally we deploy in a corporate environment where everybody log into a Microsoft AD server. Our agent queries the security log and maps the username to the IP based on the log entry. Is your RADIUS server Microsoft? The agent does have an API that can be used for injecting user/IP info into the agent. I do not know how well this will work in your environment.
The Paloalto can be deployed in L2 mode like a switc/bridge or you can use VWIRE. VWIRE is limited to 2 ethernet ports. Anything hat enters on port 1 is forced out port 2. VWire does not have a MAC address or an IP address. It can not do NAT or tunnel termination. You would have to use a third interface and connect it to the same switch as the VWIRE to provide these services. Since the VWIRE has no MAC of its own, if we send a TCP reset,we spoof the source MAC so it becomes difficult to track down the source with a sniffer.
You need to check interface counters to confirm we sent the RST.
My enviorment is an ISP, the project is "Clean Pipe". the users are coming from their devices & surf into the web, I need to catch them on the way (in L2 mode) & based on thier profile in the radius (not AD / Microsoft) provide them services like AV, URL Filtering & Mail Relay.
Currently PAN-OS can provide user-identification service using AD, terminal server, or captive portal. We do not have the option to map the user IP based on Radius assigned IP address. If not using AD then captive portal may be your best option at this time as you can at least authenticate your users based on Radius when they hit the Captive Portal redirect page.
If you require user id methods other than what is mentioned above, I would suggest to speak to your Palo Alto Sales Rep or SE to inquire about roadmap and new feature requests.
You might explore using the UserID XML API to map RADIUS users to IP addresses:
You would still need to use LDAP or AD to get user to group mappings.
Excuse me but I just have a question and this discusstion is similer.
Is there any roadmap or feature request you know now ? As the PAN-OS is revised to PAN-OS 5.0, I never see it in RADIUS server profile, so I just want to know if there any update till now.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!