Using two different Radius at the same time?

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Using two different Radius at the same time?

L3 Networker

In service route configuration one can define which interface should be used by the managementplane to reach the Radius server which you will use.

However Radius can be used both for admin-logins aswell as captive portal (user-logins).

Is it possible to setup one Radius to be used for admin-logins (towards the PA unit) and another Radius to be used to authenticate users in captive portal before they can do web-browsing?


L3 Networker

I forgot...

The Radius used for admin-logs will only be accessible through MGT interface while Radius used for captive portal will be accessed through any of the other ethernet-interfaces on the dataplane.

L4 Transporter

I assume that your next post has already answered this question.

L4 Transporter

I assume that this post is the answer to your previous question.

Based on your answer I guess its not possible to use one Radius for adminlogs (towards MGT) and another Radius for userlogins (towards captive portal)?

I guess I'll have to issue yet another request...

Another request would be if PaloAlto Networks could issue requests on their own based on the discussions in KnowledgePoint without having to force their customers to issue a specific request towards their support.

L4 Transporter

If you click on "show destinations" in the service route configuration - you can put in there the IP address of the 2nd RADIUS server and the alternative L3 interface you wish to use.

Hope this helps

But that would render that users can login to MGT interface just because they exists in the userradius and not in the adminradius.

It would be nice if those two things could be separate (since the dataplane and controlplane is already (somewhat) separate in a PAN).

I think we need to back a few steps. The RADIUS server for admin authentication is independent of the RADIUS server for captive portal authentication. Assuming those two IP addresses are different, you can do as James suggested and route the requests out specific interfaces via the Service Route Configuration.


Ahh ok so selecting radius in service route configuration is the global setting for the PAN where to (or rather which source interface should be used) send radius requests and if I do that I will also have to add a "static" route in the service route configuration towards the ip for the userradius used by the captive portal (assuming that the "radius" setting in service route will be set to use MGT interface) and then everything should be fine? 🙂

Are there any differences when sending "administrative" traffic through one of the dataplane interfaces compared to the dedicated mgt-interface?

Im thinking of if the fpga will cut the sessions due to some timeout which might exist on stuff that passes through dataplane but it will not be cut when using mgt-interface?

  • 8 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!