I'd like to consult with You one problem. My users authenticate with Radius on Captive Portal web page.
Problem that comes to me is how to assign access according to groups of users. My FreeRadius has only one group of users, I can add more but how to use it in PAN?
I read How to Configure RADIUS Authentication and there is "Retrieve user groups" checkbox but after I enabled it and do commit I cant see my groups in ADD in Authenticate Profile tab.
I know that I should use RADIUS Vendor Specific Attributes (VSA)
PaloAlto-User-Group: Attribute #5 - This is the name of the group to be used in the Authentication Profile
Do You know how to configure FreeRadius to use it? Please point me in right direction with this problem.
from my understanding the option Retrieve user groups doesn't retrieve the groups and lists them on any tab. It's just so it will ask the radius server for the VSA #5 like you already linked. The Radius server will send the attribute back and has to match the "user" (groupname in auth profile)
I never worked with FreeRadius but you could follow this guide Adding vendor-specific RADIUS attributes (BlueCoat ProxySG) | David Vassallo's Blog and change everything to the Palo Alto attributes
There is no guaranty that this will work. I hope this helps a bit.
I sow it before I posted this question.
At the moment I have one problem, and I cant find answer: Is is possible to use in security policies groups from Radius?
According to my knoweladge is it possible to limit authenticating to group defined in authentificate profile, but what next?
in my tests it didn't work to use radius groups in security rules. I think the device only looks up the groups for the user if they try to authenticate. After that the groups of the user are unknown. I didn't get an official answer from palo alto for this problem but I never had the request to use radius groups in policies.
Did you had confirmation about this ?
I trying to accomplish exactly the same thing but on globalprotect, and my group never match.
2016-12-16 09:27:36.550 +1100 debug: pan_process_radius_auth(pan_authd.c:1115): Found radius group VPN_1 for user OCEAN\michel 2016-12-16 09:27:36.550 +1100 authentication succeeded for user <vsys1,FreeRadius,OCEAN\michel> 2016-12-16 09:27:36.551 +1100 authentication succeeded for remote user <OCEAN\michel(orig:michel)> 2016-12-16 09:27:36.551 +1100 debug: pan_authd_process_authresult(pan_authd.c:1353): pan_authd_process_authresult: OCEAN\michel authresult auth'ed 2016-12-16 09:27:36.551 +1100 Request received to unlock vsys1/VPN_Auth_ALL/OCEAN\michel 2016-12-16 09:27:36.552 +1100 User 'OCEAN\michel' authenticated. Profile FreeRadius in an authentication sequence VPN_Auth_ALL succeeded. From: 22.214.171.124.
If I use michel account to allow access to globalprotect it works.
If I use radius group "VPN_1" to allow access to globalprotect, nothing happen, even if pan retrieve correctly the name of the group.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!