02-26-2010 07:43 AM
In service route configuration one can define which interface should be used by the managementplane to reach the Radius server which you will use.
However Radius can be used both for admin-logins aswell as captive portal (user-logins).
Is it possible to setup one Radius to be used for admin-logins (towards the PA unit) and another Radius to be used to authenticate users in captive portal before they can do web-browsing?
02-26-2010 07:44 AM
I forgot...
The Radius used for admin-logs will only be accessible through MGT interface while Radius used for captive portal will be accessed through any of the other ethernet-interfaces on the dataplane.
03-04-2010 03:22 PM
I assume that this post is the answer to your previous question.
03-04-2010 09:35 PM
Based on your answer I guess its not possible to use one Radius for adminlogs (towards MGT) and another Radius for userlogins (towards captive portal)?
I guess I'll have to issue yet another request...
Another request would be if PaloAlto Networks could issue requests on their own based on the discussions in KnowledgePoint without having to force their customers to issue a specific request towards their support.
03-05-2010 08:49 AM
If you click on "show destinations" in the service route configuration - you can put in there the IP address of the 2nd RADIUS server and the alternative L3 interface you wish to use.
Hope this helps
03-05-2010 10:55 AM
But that would render that users can login to MGT interface just because they exists in the userradius and not in the adminradius.
It would be nice if those two things could be separate (since the dataplane and controlplane is already (somewhat) separate in a PAN).
03-05-2010 11:09 AM
I think we need to back a few steps. The RADIUS server for admin authentication is independent of the RADIUS server for captive portal authentication. Assuming those two IP addresses are different, you can do as James suggested and route the requests out specific interfaces via the Service Route Configuration.
Mike
03-05-2010 02:08 PM
Ahh ok so selecting radius in service route configuration is the global setting for the PAN where to (or rather which source interface should be used) send radius requests and if I do that I will also have to add a "static" route in the service route configuration towards the ip for the userradius used by the captive portal (assuming that the "radius" setting in service route will be set to use MGT interface) and then everything should be fine? 🙂
Are there any differences when sending "administrative" traffic through one of the dataplane interfaces compared to the dedicated mgt-interface?
Im thinking of if the fpga will cut the sessions due to some timeout which might exist on stuff that passes through dataplane but it will not be cut when using mgt-interface?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
