Palo Alto RADIUS Authentication with Windows NPS

In this article I will go through the steps required to implement RADIUS authentication using Windows NPS (Network Policy Server) so that firewall administrators can log-on using domain credentials.

My Setup

  • Palo Alto running PAN-OS 7.0.X
  • Windows Server 2012 R2 with the NPS Role – should be very similar if not the same on Server 2008 and 2008 R2 though
  • I will be creating two roles – one for firewall administrators and the other for read-only service desk users.

NPS Configuration

First we will configure the NPS server.

  1. Create the RADIUS clients first. The clients being the Palo Alto(s). If you have multiple or a cluster of Palo’s then make sure you add all of them. You don’t want to end up in a scenario where you can’t log-in to your secondary Palo because you forgot to add it as a RADIUS client. Make a note of the generated secret key as you will need it later on.
  2. Next create a connection request policy if you don’t already have one. A connection request is essentially a set of conditions that define which RADIUS server will deal with the requests. In my case the requests will come in to the NPS and be dealt with locally.
  3. Now we create the network policies – this is where the logic takes place.
Network Policies - Conditions
In the Conditions tab simply put the security group that you want to access the firewall. I created two network policies for firewall admins and read-only admins.
Network Policies - Constraints
You need to check the “Unencrypted authentication (PAP, SPAP)” option in the Constraints tab. Authentication with the Palo won’t work if you don’t check this box.
Network Policies - Settings
In the Settings tab click ‘Vendor Specific’ then ‘Add’. Here you want to select a custom vendor and create a vendor-specific attribute.
Network Policies - Settings
Here you want to add Palo’s vendor code which is 25461. Next you want to configure the attribute and select ‘1’ as the attribute number. The format will be a string and the value will be the new admin group we will create later on in the Palo. The name of my group is called firewalladmin and the name of my other read-only admins group is called firewalladminreadonly.
Network Policies - Settings
The ‘Vendor Specific’ page should now look like this.
Network Policies - Overview
Your network policies may look similar to this. I have two for the Palo. One for admins and the other for read-only admins.

Now let’s configure the Palo…

Palo Configuration

First we will configure the Palo for RADIUS authentication. This involves creating the RADIUS server settings, a new admin role (or roles in my case) and setting RADIUS as the authentication method for the device.

RADIUS Server Profile
Click Device –> Server Profiles –> RADIUS –> Add. Here you want to add the details of your RADIUS server. Don’t forget to use the same secret key you generated in the RADIUS configuration above!
Authentication Profile
Click Device –> Authentication Profile –> Add. Here you want to make the type ‘RADIUS’ and choose the profile you created earlier. Make sure you put your domain in the ‘User Domain’ field otherwise you will have to type domain\username to log-in instead of just the username which is more convenient. Of course if you have a multi-domain environment then you might want to leave that out.
Authentication Profile
Some articles will say that the allow list is optional and that you can just choose the ‘all’ group as you will define the AD groups allowed using your RADIUS server. However I strongly recommend adding your permitted AD groups in here too just in case of a configuration error on the RADIUS server. Defense in depth and all that good stuff 🙂 Note the failed attempts and lockout time options. Change these as appropriate for your environment.
Admin Roles
Click Device –> Admin Roles –> Add. Here you want to create one or more admin groups. As you can see in the example, I created a firewalladmin and firewalladminreadonly group. The read only group is intended to be used by the service desk so only shows the most useful pages. Important: Don’t forget these names are the ones we used in the network policy in the section above! If you name your groups something else then don’t forget to change your network policies as appropriate.
Device Authentication Settings
Click Device –> Setup –> Authentication Settings. Here you want to select the Authentication Profile you created earlier. Note the failed attempts and lockout time options. Change these as appropriate for your environment.

Note: Don’t forget to set the Device –> Authentication Settings –> Authentication Profile on all your Palo’s as the settings on these pages don’t sync across to peer devices.

Other tips

  • It is good idea to configure RADIUS accounting to monitor all access attempts
  • Change your local admin password to a strong, complex one
  • Monitor your Palo system logs if you’re having problems using this filter:

    [code]( eventid eq auth-success ) or ( eventid eq auth-fail )[/code]