group-based policies for RADIUS authenticated users.

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

group-based policies for RADIUS authenticated users.

L3 Networker

Dear community,


For users who authenticate via RADIUS on Active Directory, is there any possibility to fetch the groups for those RADIUS users so that group-based policies can be created in the firewall? 


Thank you!


Cyber Elite
Cyber Elite

Hi @OtakarKlier ,


Many thanks for your answer.


What I´m trying to do is to retrieve the group membership for RADIUS authenticated users in the AD. So that I can use the groups in the policies.

I´m trying to do a group mapping in some way like you do through LDAP.


Is this possible?


Thank you in advance!

Cyber Elite
Cyber Elite

hi @OtakarKlier This KB is for LDAP and not for Radius like what @Carracido was after.  I am also having issues with Radius and retrieving user groups.  i have ticket the 'Retrieve user groups' in the auth profile and configure radius with what i believe are the correct VSA's as per 

Unfortunately i still cannot pull any groups up to panorama/firewall.  Unfortunately this design cannot utilise LDAP at the moment so my options are limited.  Any suggestions?

Cyber Elite
Cyber Elite

You can configure VSA's to use group membership to log into the firewall but Palo don't support using RADIUS groups in security policies.

There is a feature request FR2729 to add that capability.

Ask your Palo SE to add a vote to it.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

hi @Raido_Rattameister thanks for the update.  in my case, the customer doesnt require security enforcement via policy.  At this stage we want to just pull the user groups up from radius and use the im the auth profile and subsequently the client config in GP.  If you have any advice, it would be appreciated.

L4 Transporter

I did get this working but it took quite a lot of messing around so as to not break inadvertently what was working.  Not sure what the issue is on your end but in my case we did not have the USER DOMAIN field filled in or the RETRIEVE USER GROUP FROM RADIUS options checked.  I never went far enough with it to tell if I absolutely needed the domain in there but in my case this was what ultimately did the trick for me.


Also the gateway or wherever the RADIUS group check is being done needs the full distinguished name to work properly.

hi @TonyDeHart thanks for the info.  i have configured the user domain and ticked 'retrieve user groups' in the auth profile.  i have no issue with authenticating user with radius when 'All' is selected.


VSA's configured on the radius for user group IT as an example.


if anyone has any ideas, let me know.

I'm no expert on this, but what I was told when working with Palo support,was that the domain actually doesn't have any impact on the RADIUS authentication itself (in my case it is RSA) and that the domain and group info used is actually using the LDAP groups defined in the authentication profile to determine group membership. Without the domain configured it wasn't determining/matching the groups up with the auth profile and failed the membership check.  It was necessary for the groups to be included in the auth profile AND the domains to match.


Sorry it was a detail I'd forgotten until I looked a bit closer.


  • 9 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!