Palo Alto Administrator Access RADIUS Integration
This integration will help you to connect users with your MonoSign IdP over the RADIUS protocol. However, before you continue, you must ensure you have a valid license and configuration on your Management Portal.
💡 Outcomes
This will help you add your IdP (Identity Provider) to your Palo Alto Firewalls and secure them with Multi-Factor Authentication.
This is highly recommended for securing your administrator access to your Palo Alto Firewalls.
📘 Instructions
RADIUS implementation contains a secret: you need to treat it like a Password. This information should never be shared with anyone and should be protected carefully.
1. Palo Alto Firewall Radius Configuration.
a. RADIUS Server Profile
Go to your firewall admin page and click Device → Server Profiles → RADIUS → Add
Fill required information as shown in the table below;
RADIUS Server Profile
Field | Value |
---|---|
Profile Name | Profile Name |
Timeout(sec) | 120 |
Retries | 3 |
Authentication Protocol | PAP |
Servers
Field | Value |
---|---|
NAME | Radius Server Name |
RADIUS SERVER | Radius Server IP |
SECRET | Radius Secret |
PORT | Radius Server Port - Default 1812 |

b. Authentication Profile
Go to your firewall admin page and click Device → Server Profiles → RADIUS → Add
Fill required information as shown in the table below;
Authentication Profile
Field | Value |
---|---|
Name | Profile Name |
Type | 120 |
Server-Profile | Choose the Server profile which you created in the previous step |

Advanced
Field | Value |
---|---|
Allow List | Choose all |
Failed Attempts | 0 |
Lockout Time (min) | 0 |

c. Changing the Authentication Method
Two methods can be used for authentication.
User Base
Go to your firewall admin page and click Device → Administrators → Add

If you want to change the existing user authentication profile, click the username on the firewall and change Authentication Profile.
Global Authentication
After the Radius configuration, authentication can be changed globally in the device configuration.
Go to Palo Alto admin web GUI and click Device → Setup → Management → Authentication Settings and choose the Radius profile created in the previous steps.

Click OK, then Commit to save the changes.
2. Creating an Application on MonoSign
Go to your Management Portal and click Applications on the left sidebar. Create a new application.

Click “Keys” and then “Add New Key”. Next, choose Key Type as RADIUS.
You need to configure NAS-Identifier or NAS-IP and Secret. You will need this information while configuring your Palo Alto Firewall.
Your Secret must be unique, and you need to treat it like a password.
If you don’t know your NAS-Identifier (your RADIUS identifier that helps MonoSign understand which system they are authenticated to), you can keep it empty. But you need to put NAS-IP (Which is Palo Alto management interface IP)

You can save your configuration.
Now you can assign a user who will access to Palo Alto Firewall. Go to your Management Portal and click Applications on the left sidebar. Find Palo Alto Applications and click it. Then click Assignments and click Assign a User.

It’s done. Now you can test to log in to your Palo Alto firewall via Web GUI.
