Palo Alto Networks GlobalProtect VPN Configuration Guide (RADIUS)

Use this guide to configure Palo Alto Networks GlobalProtect VPN to send client IPs to the SecureAuth IdP RADIUS server.

When using a SecureAuth IdP RADIUS server integration with Palo Alto Networks GlobalProtect Gateway clients or Portal access, RADIUS server authentication logs may show the endpoint IP as the IP address of the VPN server since GlobalProtect does not send the client IP address using the standard RADIUS attribute Calling-Station-Id. However, Palo Alto Networks PAN-OS v7 includes a new RADIUS attribute (PaloAlto-Client-Source-IP) that contains the client IP address. This attribute can be enabled via the Palo Alto Networks administration shell to send the client IP to the SecureAuth IdP RADIUS server.

1. Ensure Palo Alto Networks SSL VPN device running PAN-OS 7.0.1+

2. Ensure SecureAuth IdP version 8.2+ is installed

3. Configure the SecureAuth IdP RADIUS Server version 2.1.0+

1. Connect to the Palo Alto Networks administration shell

2. Enable the PaloAlto-Client-Source-IP client IP attribute to be sent to the SecureAuth IdP RADIUS server by entering

      set authentication radius-vsa-on client-source-ip