Debugging Radius server connection for captive portal

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Debugging Radius server connection for captive portal

L1 Bithead

Hi,

I'm using freeradius as the radius server and trying to connect it with a PA-500. (I tried to access the freeradius setup document at https://live.paloaltonetworks.com/docs/DOC-1238 but I am apparently unauthorized - do you know what level of support you need to access it?)

When I try to access a website that requires captive portal, the authentication page appears but I am unable to authenticate my username/password.  The radius server is also not seeing the authentication request, so I suspect this is a network connectivity issue.

The radius server is located in a zone that has access to the "outside" web server and the "inside" host has access to the radius server "zone".

All of my ports are configured to be Layer 3.

I'm having a lot of difficulty because I'm lacking visibility on exactly what is happening... is there a way to verify that my radius server is indeed communicating with the PA-500?

Thanks!

7 REPLIES 7

The PA-500 has been upgraded to PAN-OS 3.1.6 .

I don't see the captive_portal.log anymore under #tail mp-log

I get the following errors in authd.log (does that cover both captive portal and admin?):

admin@PA-500> tail mp-log authd.log
Jan 11 16:06:32 User 'pek' failed authentication. Reason: Invalid username/password From: 10.1.0.2.
Jan 11 16:06:32 pan_authd_send_auth_resp(pan_authd.c:1775): pan_authd_send_auth_resp
Jan 11 16:06:32 pan_authd_send_auth_resp(pan_authd.c:1793): Sent the response to client
Jan 11 16:07:41 pan_authd_loop(pan_authd.c:2101): Got a msg to authd
Jan 11 16:07:41 pan_authd_loop(pan_authd.c:2111): recv'ed 1068 bytes from 127.0.0.1
Jan 11 16:07:41 pan_authd_service_req(pan_authd.c:1936): pan_authd_service_req()
Jan 11 16:07:41 pan_authd_service_req(pan_authd.c:1954): Authd:get group request
Jan 11 16:07:41 pan_authd_handle_group_req(pan_authd.c:1905): Got user role/adomain / for user admin
Jan 11 16:07:41 pan_authd_handle_group_req(pan_authd.c:1918): Sending group response msg type 3, conv id 1, to  127.0.0.1 : 38525
Jan 11 16:07:41 pan_authd_handle_group_req(pan_authd.c:1923): Sent the auth group response to client

The above log does not look like captive portal problems.  On the GUI, under Monitor > System, I see two related error messages:

01/11 16:06:34 general informational general Captive portal authentication failed for user: pek on 10.1.0.2, vsys1 
01/11 16:06:32 general informational auth-fail User 'pek' failed authentication. Reason: Invalid username/password From: 10.1.0.2.

I've simplified my network configuration to be a star network (essentially flat where the the Palo Alto is in the middle doing routing between devices) and all active interfaces are in one zone.

I'm still stuck trying to figure out why the radius server is not receiving authentication requests from the palo alto.

Thanks for all of the information.  At this point I would suggest opening a case with your support provider so that a live troubleshooting session can take place. 

Thanks~

I will open a case with our support.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!