Palo Alto NGFW 10.1.7 - RADIUS Configuration - RSA Ready Implementation Guide
2 years ago
Originally Published: 2023-03-29

This section describes how to integrate Palo Alto NGFW with Authentication Manager using RADIUS.

Configure RSA Authentication Manager

Perform these steps to configure RSA Authentication Manager for RADIUS.

Procedure 

  1. Log in to the RSA Security Console GUI > RADIUS > RADIUS Clients > Add new.
    mani97_0-1680089406194.png
  2. Click on Save & Create Associated Agent  > Save > Yes, Save Agent.
  3. If you are using RADIUS for Admin UI access, then if you haven’t created the specific users with their admin roles on Palo Alto or want to do authorization in general, you must configure RADIUS Profiles to return those admin roles. (You must Configure From Palo Alto Side Authentication Profile to have it to get the group from RSA).
    mani97_1-1680089422855.png
  4. Go to Security Console > RADIUS > RADIUS Profiles > Add new. (Prerequisite: An Existing RADIUS Model “Palo Alto” must be in use by a RADIUS Client).
    mani97_2-1680089431467.png
  5. Afterward, assign the needed values for the user group and admin role to match on Palo Alto configuration for authorization purposes.
  6. You can assign this profile per user, go to Identity > Users > Manage Existing > or on the Palo Alto RADIUS Client itself.

This section describes how to integrate Palo Alto NGFW with RSA Cloud Authentication Service or RSA Authentication Manager using RADIUS.

Configure Palo Alto NGFW

Perform these steps to configure Palo Alto NGFW for RADIUS.

Procedure

  1. Log in to the Palo Alto NGFW admin GUI > Device > RADIUS > Add. 
    mani97_0-1680090044092.png
  2. If you are using RSA Authentication Manager with no Cloud services using advanced authentications like Biometrics/Approve, then set the timeout to 30 seconds and retries to 1.
  3. If you are using RSA Cloud Authentication Services that has advanced authentications like Biometrics/Approve, then set the timeout to 60 seconds and retries to 1.
  4. Type the IP address of RSA Authentication Manager or Identity Router Management IP if it is Cloud Authentication.
  5. Sample Configuration is as per below (for RADIUS):
    mani97_3-1680090238527.png
    mani97_5-1680090252951.png
  6. Create an Authentication Profile by going to Device > Authentication Profile and associate the created RADIUS profile above to it.
  7. You can choose to retrieve the user groups from RSA or not, if you chose this and you have configured an allow list, then RSA must return those user groups in the DN format otherwise, Palo Alto will allow communication only if you are part of the allow list.
  8. You can input the user domain without having the user put it and choose the appropriate username modifier according to the need as well.
  9. Go to the Authentication Profile > Advanced tab, you can choose which users are permitted in this profile.
  10. Sample Configuration is as per below (RADIUS Authentication profile):
    mani97_6-1680090317766.png
    mani97_7-1680090326879.png

Configuration is complete.

Return to the main page .

Related Articles

Trending Articles

Don't see what you're looking for?