Captive Portal with Radius and groups of users

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Captive Portal with Radius and groups of users

L4 Transporter

Hello

I'd like to consult with You one problem. My users authenticate with Radius on Captive Portal web page.

Problem that comes to me is how to assign access according to groups of users. My FreeRadius has only one group of users, I can add more but how to use it in PAN?

I read How to Configure RADIUS Authentication and there is "Retrieve user groups" checkbox but after I enabled it and do commit I cant see my groups in ADD in Authenticate Profile tab.

I know that I should use RADIUS Vendor Specific Attributes (VSA)

PaloAlto-User-Group: Attribute #5 - This is the name of the group to be used in the Authentication Profile

Do You know how to configure FreeRadius to use it? Please point me in right direction with this problem.

Regards

SLawek

6 REPLIES 6

L4 Transporter

bump

No one is using RAdius auth with groups pulling ?

Regards

SLawek

L3 Networker

Hi,

from my understanding the option Retrieve user groups doesn't retrieve the groups and lists them on any tab. It's just so it will ask the radius server for the VSA #5 like you already linked. The Radius server will send the attribute back and has to match the "user" (groupname in auth profile)

I never worked with FreeRadius but you could follow this guide Adding vendor-specific RADIUS attributes (BlueCoat ProxySG) | David Vassallo's Blog and change everything to the Palo Alto attributes

There is no guaranty that this will work. I hope this helps a bit.

Hi

I sow it before I posted this question.

At the moment I have one problem, and I cant find answer: Is is possible to use in security policies groups from Radius?

According to my knoweladge is it possible to limit authenticating to group defined in authentificate profile, but what next?

Regards

Slawek

Hi,

in my tests it didn't work to use radius groups in security rules. I think the device only looks up the groups for the user if they try to authenticate. After that the groups of the user are unknown. I didn't get an official answer from palo alto for this problem but I never had the request to use radius groups in policies.

so  I wil lask my SE for confirmation, but this isnt a good news for me Smiley Sad

Thank You

Regards

Slawek

Hi,

 

Did you had confirmation about this ?

I trying to accomplish exactly the same thing but on globalprotect, and my group never match.

 

 

2016-12-16 09:27:36.550 +1100 debug: pan_process_radius_auth(pan_authd.c:1115): Found radius group VPN_1 for user OCEAN\michel
2016-12-16 09:27:36.550 +1100 authentication succeeded for user <vsys1,FreeRadius,OCEAN\michel>
2016-12-16 09:27:36.551 +1100 authentication succeeded for remote user <OCEAN\michel(orig:michel)>
2016-12-16 09:27:36.551 +1100 debug: pan_authd_process_authresult(pan_authd.c:1353): pan_authd_process_authresult: OCEAN\michel authresult auth'ed
2016-12-16 09:27:36.551 +1100 Request received to unlock vsys1/VPN_Auth_ALL/OCEAN\michel
2016-12-16 09:27:36.552 +1100 User 'OCEAN\michel' authenticated. Profile FreeRadius in an authentication sequence VPN_Auth_ALL succeeded.  From: 203.147.79.6.

 

If I use michel account to allow access to globalprotect it works.

If I use radius group "VPN_1" to allow access to globalprotect, nothing happen, even if pan retrieve correctly the name of the group.

 

 

  • 7086 Views
  • 6 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!