This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

VWire Radius (NPS) via Mgmt

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

VWire Radius (NPS) via Mgmt

annielee
L2 Linker

‎01-06-2022 05:24 PM

Happy 2022 ! 


We've just setup VWires for our branches firewalls (A/A Layer 2), no ip address on any interfaces except :

- Mgmt (routable and managed by Panorama)

- HA1-3 (non-routable address) 

 

Most of the device management (SNMP, NTP and etc via Mgmt IP) works fine except for Radius authentication, we did some troubleshooting :

- tested on the firewall with 'test authentication radius' cli and it worked successfully 

 

But when we try to logon to the firewall, it failed and doesnt reach the Radius and upon checking, the firewall is using the HA address as the source. 

 

Might be something i missed, but ive looked everywhere unless this is not supported for VWire design.

4 REPLIES 4

PavelK
Cyber Elite
Cyber Elite

‎01-06-2022 07:56 PM

Thank you for post @annielee and Happy 2022!

 

I have one site running with identical setup (VWire - no interface IP address, A/A HA, Panorama managed). The only difference is I am using TACACS+ instead of RADIUS. From what you have described this should be working and I do not see any reason why this should not be supported.

 

Could you please check that management interface is configured under: Device > Setup > Services > Service Route Configuration > Use Management Interface for all.

 

Also, could you please check in log: tail follow yes mp-log authd.log whether it can uncover more details?

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

annielee
L2 Linker
In response to PavelK

‎01-07-2022 06:05 PM

Thanks for your reply.

 

Yes, ive checked the Service Route and its using Mgmt Interfaces for all. Below are the debug, and it mentioned cannot bind interface. 

 

2022-01-08 11:38:32.108 +1100 debug: _start_async_auth(pan_auth_service_handle.c:293): enqueued into not send queue: elapsed secs: 3 (max allowed secs (timeout) 60)
2022-01-08 11:38:32.109 +1100 debug: pan_authd_radius_create_req_payload(pan_authd_radius.c:236): username: annielee
2022-01-08 11:38:32.109 +1100 debug: pan_make_radius_request_buf(pan_authd_radius_prot.c:398): RADIUS request type: PAP
2022-01-08 11:38:32.109 +1100 debug: _create_rw_sock(pan_authd_conn_mgmt.c:1448): create a UDP socket: 15
2022-01-08 11:38:32.109 +1100 Error:  _create_rw_sock(pan_authd_conn_mgmt.c:1477): Failed to bind to client side sock: errno=126(Cannot assign requested address)
2022-01-08 11:38:32.109 +1100 Error:  _create_rw_sock(pan_authd_conn_mgmt.c:1499): reached max number of retries (3) to connect to server :0
2022-01-08 11:38:32.109 +1100 Error:  _try_fd_create_if_not(pan_authd_conn_mgmt.c:517): _create_rw_sock()
2022-01-08 11:38:32.109 +1100 Error:  pan_authd_conn_mgmt_enqueue_req(pan_authd_conn_mgmt.c:589): _try_fd_create_if_not() for conn context id: 2
2022-01-08 11:38:32.109 +1100 Error:  _start_async_auth(pan_auth_service_handle.c:283): pan_authd_conn_mgmt_enqueue_req(): rad req id: 188; seq num: 188 ; authd global id 7044706393709871124
2022-01-08 11:38:32.109 +1100 debug: _start_async_auth(pan_auth_service_handle.c:293): enqueued into not send queue: elapsed secs: 3 (max allowed secs (timeout) 60)
2022-01-08 11:38:32.109 +1100 debug: pan_authd_radius_create_req_payload(pan_authd_radius.c:236): username: annielee
2022-01-08 11:38:32.109 +1100 debug: pan_make_radius_request_buf(pan_authd_radius_prot.c:398): RADIUS request type: PAP
2022-01-08 11:38:32.109 +1100 debug: _create_rw_sock(pan_authd_conn_mgmt.c:1448): create a UDP socket: 15

 

0 Likes Likes

PavelK
Cyber Elite
Cyber Elite

‎01-13-2022 11:31 PM

Thank you for reply @annielee

 

Would it be possible try to change interface to any and select management IP address from drop down list?

 

PavelK_0-1642145256556.png

Also, could you please tell me what PAN-OS you are running?

 

Thank you

Pavel

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

laurence64
L4 Transporter
In response to annielee

‎01-14-2022 12:49 AM

Hi @annielee 

 

That really looks like an issue with the management interface and the HA setup, the daemon is trying to allocate the IP to make the request from to the socket but cannot, the only thing I can think is that when you do the test authentication it is actually sourced from the local box you are on at the time.

 

You could check at the RADIUS end to see which IP is being presented as the client when the test succeeds, if that is the case it could well be an issue with floating IP allocation for the Active/Active HA to communicate to the RADIUS server, I am not really used to Active Active deployments but thought I would suggest that anyway.

Hope you get it worked out!

PCCSA PCNSA PCNSE PCSAE
Mode44 LTD Palo Alto Consultants
0 Likes Likes
  • 2418 Views
  • 4 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks