Palo Alto Networks Knowledgebase: CHAP preferred over PAP while sending RADIUS access request (PAN-OS 7.0 and later)
CHAP preferred over PAP while sending RADIUS access request (PAN-OS 7.0 and later)
Created On 02/08/19 00:00 AM - Last Updated 02/08/19 00:01 AM
CHAP is a security improvement over PAP, which was the only authentication option until PAN-OS 7.0.
Beginning with PAN-OS 7.0, the Palo Alto Networks firewall will use the mode CHAP, instead of PAP, while sending the first RADIUS access request message for authentication.
Authd, the process which handles the authentication functionality, always tries CHAP first and PAP next time only if CHAP fails.
This will be performed for all the incoming RADIUS ACCESS-REQUESTS until either of two scenarios occurs -
authd receives success or challenge response from RADIUS server for the CHAP method (from now on, authd sends only CHAP request)
authd receive success/challenge response from RADIUS server for the PAP method (from now now, authd sends only PAP request)
There's no option to manually disable RADIUS CHAP mode on the Palo Alto Networks firewall running PAN-OS 7.0.3 or earlier, either from the command line or webGUI.
In PAN-OS 7.0.4 you can use 'set authentication radius-auth-type <auto|chap|pap>' to manually set the RADIUS authentication type.
Collect simultaneous authentication debugs from the Palo Alto Networks firewall and packet captures for the RADIUS server in the following manner and open a support case with TAC for further investigation:
Configure authd debugs from the Palo Alto Networks firewall debug authentication on debug
Attempt the authentication by the user.
Disable the debugs at the end of the user authentication attempt by resetting it to default info level
debug authentication on info
View the logs:
less mp-log authd.log
4. Remember to share the RADIUS shared secret to decrypt the packet captures using Wireshark.