12-02-2014 06:22 AM
I'd like to consult with You one problem. My users authenticate with Radius on Captive Portal web page.
Problem that comes to me is how to assign access according to groups of users. My FreeRadius has only one group of users, I can add more but how to use it in PAN?
I read How to Configure RADIUS Authentication and there is "Retrieve user groups" checkbox but after I enabled it and do commit I cant see my groups in ADD in Authenticate Profile tab.
I know that I should use RADIUS Vendor Specific Attributes (VSA)
PaloAlto-User-Group: Attribute #5 - This is the name of the group to be used in the Authentication Profile
Do You know how to configure FreeRadius to use it? Please point me in right direction with this problem.
12-04-2014 08:42 AM
from my understanding the option Retrieve user groups doesn't retrieve the groups and lists them on any tab. It's just so it will ask the radius server for the VSA #5 like you already linked. The Radius server will send the attribute back and has to match the "user" (groupname in auth profile)
I never worked with FreeRadius but you could follow this guide Adding vendor-specific RADIUS attributes (BlueCoat ProxySG) | David Vassallo's Blog and change everything to the Palo Alto attributes
There is no guaranty that this will work. I hope this helps a bit.
12-08-2014 12:55 AM
I sow it before I posted this question.
At the moment I have one problem, and I cant find answer: Is is possible to use in security policies groups from Radius?
According to my knoweladge is it possible to limit authenticating to group defined in authentificate profile, but what next?
12-08-2014 01:15 AM
in my tests it didn't work to use radius groups in security rules. I think the device only looks up the groups for the user if they try to authenticate. After that the groups of the user are unknown. I didn't get an official answer from palo alto for this problem but I never had the request to use radius groups in policies.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!