How to configure Radius Authentication for SSL-VPN?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to configure Radius Authentication for SSL-VPN?

L2 Linker

Hi everybody,

PA-500
Software: 3.0.5

Can somebody tell me how to configure the Radius authentification for
SSL-VPN!
I have configured the "Authentication Profile" with a Radius Server (IP, Secret).
I have added an Active Directory Group in the allow list. So, the AD agent is working!
I know that the agent is not necessary.

The Radius is an Windows 2008 Server. I have configured them with the explanaition
in this Knowledge Point (https://live.paloaltonetworks.com/docs/DOC-1232)!

When I try to authenticate myself, I get an error (Radius Server) that my Username and/or Password are wrong.

When I use the Captive Portal with the same Radius Server, then it works.

When I use the local database for the SSL-VPN authentication, then it works immediately.

So, can somebody tell me what I'm doing wrong!
Is there a hidden property that I have to set!?

Best Regards
Christian

3 REPLIES 3

L5 Sessionator

If Radius is working for the management login and not for the SSL VPN, there may be a config in the PAN that isn't correct.  You may want to check the domain name in the Authentication Profile and verify that it is lower case.  For further troubleshooting please contact Tech Support.

Thank you for your answer.

We have tried different configs.

The domain name in lower and upper case, the whole domain string or no doamin string.

But nothing seems to be working.

Only when we add the NT-Domain name in lower cases,

the PaloAlto send the request to the Radius, in the other cases

the PaloAlto drops the authentication and said "User not allowed".

Then there is no matching with the allow list for the SSL-VPN!

L2 Linker

With Firmware version 3.1.0 Beta25 it seems to be working!

We made no configuration changes on both sides (Firewall and Radius),
and now it works.

  • 4751 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!