Radius Auth VIA management?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Radius Auth VIA management?

L1 Bithead

Greetings,

i have a GP portal and Gateway configured for radius auth in vr2 with just connected and a default route. vr1 has the routes to the radius server. my question is, can i send the auth requests via the management port?

 

thanks

1 accepted solution

Accepted Solutions

Hi @tcsmithh,

By default Palo Alto firewall will always use the dedicated management interface for services like authentication servers, DNS, NTP etc.

When you configure your RADIUS server, firewall will try to reach it over the dedicated management interface. Note that this traffic does not pass over the firewall policy, nor perform route look with any VR (virtual-router), it just uses the management default route.

 

If FW management network does not have access to RADIUS server you can tell the firewall to use one of the dateplane interface, by changing the relevant service route - https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/service-routes/service-routes-...

With service routes you basically tell the firewall which dataplane interface to use as source interface. After that the traffic will perform route lookup - against the VR associated with source interface - to determine the next hop.Traffic will also pass over the security policy, so if your policy is very restrictive you need to make sure it is allowed

View solution in original post

3 REPLIES 3

Hi @tcsmithh,

By default Palo Alto firewall will always use the dedicated management interface for services like authentication servers, DNS, NTP etc.

When you configure your RADIUS server, firewall will try to reach it over the dedicated management interface. Note that this traffic does not pass over the firewall policy, nor perform route look with any VR (virtual-router), it just uses the management default route.

 

If FW management network does not have access to RADIUS server you can tell the firewall to use one of the dateplane interface, by changing the relevant service route - https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/service-routes/service-routes-...

With service routes you basically tell the firewall which dataplane interface to use as source interface. After that the traffic will perform route lookup - against the VR associated with source interface - to determine the next hop.Traffic will also pass over the security policy, so if your policy is very restrictive you need to make sure it is allowed

L1 Bithead

thank you very much, i was certain that was the case, but wanted verification....unless i do custom routing.... thanks again

Hi @tcsmithh ,

In the service routes config you can specify source interface per service, or per destinantion.

If you define source interface for RADIUS service, this will force the firewall to use the same interface for every RADIUS server you define.

Specifying source interface per destination allow you to have different RADIUS servers reachable from different interfaces/VRs

  • 1 accepted solution
  • 898 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!