Which Radius Authentication Method is Supported on Palo Alto Networks Devices?
For PAN-OS 7.0, see the PAN-OS 7.0 Administrator's Guide for an explanation of how CHAP (which is tried first) and PAP (the fallback) are implemented: CHAP and PAP Authentication for RADIUS and TACACS+ Servers
For PAN-OS 6.1 and below, the only authentication method that Palo Alto Network supports is Password Authentication Protocol (PAP). The Radius server supports PAP, CHAP, or EAP. Ensure that PAP is selected while configuring the Radius server. If a different authentication is selected, then the error message in the authd.log will only indicate invalid username/password.
Note: If the device is configured in FIPS mode, PAP authentication is disabled and CHAP is enforced.