This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Radius authentication not working
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- General Topics
- Radius authentication not working
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Radius authentication not working
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-27-2023 03:37 AM
We have configured Radius on our VM Palo but its not working. Provided screenshots of configuration we have on the FW and output of test command. Routing is defiantly in place as we can ping Radius server, however no traffic on 1812 reaching PacketFence Radius server. When done tcp dump - I can clearly see it's capturing pings but nothing for port 1812.
Palo Support not being helpful as for now just keep sending me unrelated articles... So hopefully get some advice here 🙂
Target vsys is not specified, user '*******' is assumed to be configured with a shared auth profile.
Egress: x.x.208.14
Authentication to RADIUS server at x.x.65.40:1812 for user '*******'
Authentication type: PAP
Now send request to remote server ...
RADIUS error: bind: Cannot assign requested address
Authentication failed against RADIUS server at x.x.65.40:1812 for user '*********'
Authentication failed for user '****'
Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.
18 REPLIES 18
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-27-2023 05:13 AM - edited 01-27-2023 05:14 AM
Monitor > Logs > System
Filter: ( subtype eq auth )
Do you see auth attempts in logs? What is in log description?
By default traffic sourced from Palo goes out from mgmt interface.
Assuming radius server IP is 1.2.3.4 does command "ping host 1.2.3.4" get replies?
Is Palo mgmt interface and radius server in same subnet or does this traffic traverse firewall?
If it traverses firewall do you see those sessions in traffic log?
Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
Palo Alto Networks certified from 2011
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-27-2023 05:19 AM
ping is going through to radius - I have even add "source" in command to be sure is coming out of management interface.
We can see Auth logs as well but obviously not succesfull :
( description contains 'failed authentication for user \'*****\'. Reason: Authentication request is timed out. auth profile \'PF-Radius\', vsys \'shared\', server profile \'PF-Radius\', server address \'x.x.65.40\', auth protocol \'PAP\', From: x.x.x.x' )
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-27-2023 05:27 AM
If this traffic traverses firewall you can check Monitor > Logs > Traffic if those sessions are permitted, and if packets are sent and received.
You can also take packet capture https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/take-packet-captures/take-a-pac...
Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
Palo Alto Networks certified from 2011
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
01-27-2023 05:30 AM
Yep, we have checked monitor and no intersting traffic was there. Will try to setup capture to see it there. Just wondering if tcp dump from command line is sufficient an that was already done - we could see ping to radius server but nothing on 1812.
Related Content
- Brute Force GlobalProtect Portal via GP app in Custom Signatures
- Issue using MFA in GlobalProtect ) in GlobalProtect Discussions
- LDAP Integration with Redhat IPA in Palo Alto Firewall in Next-Generation Firewall Discussions
- Enforcing Global Protect only on remote sessions in General Topics
- Gateway certificate error when switching to SAML authentication in GlobalProtect Discussions
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks