How to use "Retrieve User Group" feature in RADIUS profile?

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

How to use "Retrieve User Group" feature in RADIUS profile?

Not applicable

I would like to use my AD groups in Security rules (along with RADIUS and HTML Captive Portal). So far I managed to use "known users" only, seems due to a lack of Group attribute exchange between PAN and RADIUS (MS IAS 2003).

I found the promising "Retrieve User Group" chekbox in RADIUS authentication profile settings but so far didn't find any reference to it in the Knowledgepoint.

Can anyone point me to a relevant docs, or to share a personal experience?




L3 Networker

In order to use AD groups in security policies you will have to forward the group information from the Pan-agent to the Pan firewall using the Filter Group Members setting on the Pan-Agent gui

I am not going to use PAN agent (for this network segment), but rather HTTP Captive Portal with RADIUS. My problem is that the only method that worked so far was defining "known user" in security rule and specific AD user group in RADIUS policy that is not what I need (actually I need in a contrary).



Hi There,

You should configure an LDAP connection to your AD server in order to obtain groups for users that login via Captive Portal - you can use either RADIUS or LDAP to actually auth the users.

This doc may help you:



Thanks, James.

I will try to configure LDAP auth (actually I belive that I would not need RADIUS if LDAP auth in place).


Hi Evgeny,

You are correct - although it is also possible to auth users via RADIUS and get group info from LDAP.  One use case for this is when two factor authentication is required.

Good Luck!


I think these comments are missing your original question. There is a RADIUS VSA that you can use to have the RADIUS server pass the group info. It is called PaloAlto-User-Group. If you use this VSA on the RADIUS server, and then check the Retrieve User Group option you mention, the group name specified in the VSA will be checked in the allow list of the auth profile. You can enter the group names manually in the auth profile.


Mike: indeed. 🙂

Anyway, I am going to test both ways next week (RADIUS User group and LDAP).

Assuming that MS IAS 2003 knows to deal with that PaloAlto-User-Group VSA....

Hi - I believe (from the original question) the groups are required for setting security policy.  If this is true, then you'll need to use LDAP - VSA's are not currently supported for setting security policy rules against them.  If the group information is for Access rights to the device, then  VSA's will work.

Just to try to help you save time Smiley Happy



L2 Linker

I have found this doc where we are able to authenticate with Radius and the group mapping for the same user can be used in policy with help of LDAP having same names.

L4 Transporter


There is FR2729 to pull groups from Radius, please vote for this FR - at the moment is only 8 votes



  • 10 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!