Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
12-12-2012 05:15 AM
Dear,
we use radius profiles for internal users towards a customer internal network policy server and so. The administration of the palo firewall is done via the MGT interface on a dedicted pvlan based administration network. We want to enable radius authentication for administrator purposes , but this seems to be impossible due to the fact that the service routing for radius (the interface selected is is the L3 interface of the customer zone ) is occupied. The radius requests for the MGT is also send via this way, wrong off course, it should come via the administration network towards another ( cisco ACS) server. Can this be done ? Seems it is impossible to make sure the MGT uses the MGT network interface apart from the customer zones.
Specific routings towards the ACS system in this service config pages seem to work, but the source ipaddress from the request is not the one from the MGT interface but from a L3 interface on the fw. speificied for the customer.
Can this be solved somehow ?
12-12-2012 07:47 AM
Hi...You can try this. Define 2 Radius servers/profiles, 1 for users and 1 for admin, where each server has a difference IP address. Then point the service route to 1 Radius server using mgt port, and use the destination option on the right to source from the 2nd interface to the 2nd Radius server.
Thanks.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
