Captive Portal with Radius and groups of users

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Captive Portal with Radius and groups of users

L4 Transporter


I'd like to consult with You one problem. My users authenticate with Radius on Captive Portal web page.

Problem that comes to me is how to assign access according to groups of users. My FreeRadius has only one group of users, I can add more but how to use it in PAN?

I read How to Configure RADIUS Authentication and there is "Retrieve user groups" checkbox but after I enabled it and do commit I cant see my groups in ADD in Authenticate Profile tab.

I know that I should use RADIUS Vendor Specific Attributes (VSA)

PaloAlto-User-Group: Attribute #5 - This is the name of the group to be used in the Authentication Profile

Do You know how to configure FreeRadius to use it? Please point me in right direction with this problem.




L4 Transporter


No one is using RAdius auth with groups pulling ?



L3 Networker


from my understanding the option Retrieve user groups doesn't retrieve the groups and lists them on any tab. It's just so it will ask the radius server for the VSA #5 like you already linked. The Radius server will send the attribute back and has to match the "user" (groupname in auth profile)

I never worked with FreeRadius but you could follow this guide Adding vendor-specific RADIUS attributes (BlueCoat ProxySG) | David Vassallo's Blog and change everything to the Palo Alto attributes

There is no guaranty that this will work. I hope this helps a bit.


I sow it before I posted this question.

At the moment I have one problem, and I cant find answer: Is is possible to use in security policies groups from Radius?

According to my knoweladge is it possible to limit authenticating to group defined in authentificate profile, but what next?




in my tests it didn't work to use radius groups in security rules. I think the device only looks up the groups for the user if they try to authenticate. After that the groups of the user are unknown. I didn't get an official answer from palo alto for this problem but I never had the request to use radius groups in policies.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!