Can I use Radius Accounting or Diameter as source of rules in ISP network?

Not applicable

Can I use Radius Accounting or Diameter as source of rules in ISP network?


I want to install the PA in my ISP net as transparent bridge, I'm looking for a way to configure the machine to get an IP address & then translate it via Radius acounting / diameter protocol to the user info.

Do you know how it can be done?

How is it installed in other ISP's?


Tags (3)
L4 Transporter

It sounds like you are trying to use the "user Identification" feature to associate the  User name with the IP. Normally we deploy in a corporate environment where everybody log into a Microsoft AD server. Our agent queries the security log and maps the username to the IP based on the log entry. Is your RADIUS server Microsoft?    The agent does have an API  that can be used for injecting user/IP info into the agent. I do not know how well this will work in your environment.

The Paloalto can be deployed in L2 mode like a switc/bridge or you can use VWIRE.  VWIRE is limited to 2 ethernet ports. Anything hat enters on port 1 is forced out port 2. VWire does not have a MAC address or an IP address. It can not do NAT or tunnel termination. You would have to use a third interface and connect it to the same switch as the VWIRE to provide these services. Since the VWIRE has no MAC of its own, if we send a TCP reset,we spoof the source MAC so it becomes difficult to track down the source with a sniffer.

You need to check interface counters to confirm we sent the RST.

Steve Krall

Not applicable


My enviorment is an ISP, the project is "Clean Pipe". the users are coming from their devices & surf into the web, I need to catch them on the way (in L2 mode) & based on thier profile in the radius (not AD / Microsoft) provide them services like AV, URL Filtering & Mail Relay.


L5 Sessionator

Currently PAN-OS can provide user-identification service using AD, terminal server, or captive portal. We do not have the option to map the user IP based on Radius assigned IP address. If not using AD then captive portal may be your best option at this time as you can at least authenticate your users based on Radius when they hit the Captive Portal redirect page.

If you require user id methods other than what is mentioned above, I would suggest to speak to your Palo Alto Sales Rep or SE to inquire about roadmap and new feature requests.


L4 Transporter

You might explore using the UserID XML API to map RADIUS users to IP addresses:

You would still need to use LDAP or AD to get user to group mappings.



L4 Transporter

Hi, Richard,

Excuse me but I just have a question and this discusstion is similer.

Is there any roadmap or feature request you know now ? As the PAN-OS is revised to PAN-OS 5.0, I never see it in RADIUS server profile, so I just want to know if there any update till now.


Sample Wu

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!