Radius authentication not working

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Radius authentication not working

L2 Linker

We have configured Radius on our VM Palo but its not working. Provided screenshots of configuration we have on the FW and output of test command. Routing is defiantly in place as we can ping Radius server, however no traffic on 1812 reaching PacketFence Radius server. When done tcp dump - I can clearly see it's capturing pings but nothing for port 1812.

Palo Support not being helpful as for now just keep sending me unrelated articles... So hopefully get some advice here 🙂 

 

 

Target vsys is not specified, user '*******' is assumed to be configured with a shared auth profile.

 

Egress: x.x.208.14

Authentication to RADIUS server at x.x.65.40:1812 for user '*******'

Authentication type: PAP

Now send request to remote server ...

RADIUS error: bind: Cannot assign requested address

Authentication failed against RADIUS server at x.x.65.40:1812 for user '*********'

 

 

Authentication failed for user '****'



Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.
18 REPLIES 18

Cyber Elite
Cyber Elite

Your Palo mgmt interface gets 209 IP from DHCP. It is not manually configured on Palo.

Seems you need to use ethernet1/2 as source interface and .15 IP to get all working. Unless you review and change underlying virtual networking setup.

 

Raido_Rattameister_0-1674833612086.png

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

I have changed in Service Route config IPV4 and Destination IP to x.x.209.15 with src int 1/2.

I think it did some "trick" as now when applying "test"command on cli I dont have any errors - its just hanging with out any output.

Also I can see traffic logs(attached) with reason for session end "n/a"

So hopefully changing IP on PF RAdious to .209.15 (as its setup for .14) will do the trick.

Or should we look int changing mgmt IP in DHCP to .15 as well? 

 

 

Cyber Elite
Cyber Elite

As mentioned earlier ethernet1/2 and mgmt can't have same .15 IP.

If you look at VM config then first nic is mgmt port on Palo, second nic ethernet1/1, third nic ethernet1/2 etc.

So vNic config that matches mgmt port in Palo is in different virtual network/zone compared to ethernet1/2 one.

That is why you get different IP from DHCP.

So you need to engage your network persons if you want to use mgmt port for radius.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Ok, understand it now - just bit new to VM solution in AWS - last good few years was working with multiple physical Palo boxes.

Will check with Radius guys to change IP to .15 there and hopefully it will work with  Radius request coming from eth 1/2 with x.x.209.15 IP

 

Thanks again for your help - much appreciated.

  • 10633 Views
  • 18 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!