Global Protect using Radius works perfect for users in the parent domain. It will not work for users in child domains.
I worked with Palo Support for several hours and they believe the issue is a setting on the Radius server but they do not know what the settings on the Radius server should be for child domains.
Does anyone know how to set the Radius server settings or have a DOC to it?
This is not an issue for my Cisco ASA...
14:45:02.165702 IP 192.168.165.241.54053 > Server.Parent.com.radius: RADIUS, Access Request (1), id: 0x4e length: 64
14:45:02.167058 IP Server.Parent.com..radius > 192.168.165.241.54053: RADIUS, Access Reject (3), id: 0x4e length: 20
What happens if the user adds the prefix to the username to specify the child domain so that when the request is forwarded from the PAN firewall towards the RADIUS server the request is as follows ChildDomain\username rather than the user just trying to authenticate with the username only?
I was finally able to get the user to authenticate to the web address to download the client by adding the specific path for the child domain users in the PA Authentication Profile and doing the same on the radius server. But it does not work for the global protect client. I would think since it authenticated the user to download the client it would have worked when connecting with global protect.
Yes have to use ChildDomain\UserName
GlobalProtect portal user authentication failed. Login from: 188.8.131.52, User name: TestUser, Reason: Authentication failed: Invalid username or password
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!