Palo Alto Networks Knowledgebase: Which Radius Authentication Method is Supported on Palo Alto Networks Devices?

Which Radius Authentication Method is Supported on Palo Alto Networks Devices?

3174
Created On 02/07/19 23:59 PM - Last Updated 02/07/19 23:59 PM
Resolution

For PAN-OS 7.0, see the PAN-OS 7.0 Administrator's Guide for an explanation of how CHAP (which is tried first) and PAP (the fallback) are implemented: CHAP and PAP Authentication for RADIUS and TACACS+ Servers

For PAN-OS 6.1 and below, the only authentication method that Palo Alto Network supports is Password Authentication Protocol (PAP). The Radius server supports PAP, CHAP, or EAP. Ensure that PAP is selected while configuring the Radius server. If a different authentication is selected, then the error message in the authd.log will only indicate invalid username/password.

image015.png

Note: If the device is configured in FIPS mode, PAP authentication is disabled and CHAP is enforced.

owner: pvemuri



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVZCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language