Palo Alto Networks Knowledgebase: CHAP preferred over PAP while sending RADIUS access request (PAN-OS 7.0 and later)

CHAP preferred over PAP while sending RADIUS access request (PAN-OS 7.0 and later)

3508
Created On 02/08/19 00:00 AM - Last Updated 02/08/19 00:01 AM
Resolution

Overview

 

CHAP is a security improvement over PAP, which was the only authentication option until PAN-OS 7.0.

Beginning with PAN-OS 7.0, the Palo Alto Networks firewall will use the mode CHAP, instead of PAP, while sending the first RADIUS access request message for authentication.

 

Resolution

 

Authd, the process which handles the authentication functionality, always tries CHAP first and PAP next time only if CHAP fails.

This will be performed for all the incoming RADIUS ACCESS-REQUESTS until either of two scenarios occurs -


  • authd receives success or challenge response from RADIUS server for the CHAP
    method
    (from now on, authd sends only CHAP request)

or

  • authd receive success/challenge response from RADIUS server for the PAP method
    (from now now, authd sends only PAP request)

 

There's no option to manually disable RADIUS CHAP mode on the Palo Alto Networks firewall running PAN-OS 7.0.3 or earlier,  either from the command line or webGUI. 

 

In PAN-OS 7.0.4 you can use 'set authentication radius-auth-type <auto|chap|pap>' to manually set the RADIUS authentication type. 

 

Troubleshooting

Collect simultaneous authentication debugs from the Palo Alto Networks firewall and packet captures for the RADIUS server in the following manner and open a support case with TAC for further investigation:

  1. Configure authd debugs from the Palo Alto Networks firewall
    debug authentication on debug
  2. Attempt the authentication by the user.
  3. Disable the debugs at the end of the user authentication attempt by resetting it to default info level

        debug authentication on info

         View the logs:

         less mp-log authd.log

 

        4Remember to share the RADIUS shared secret to decrypt the packet captures using Wireshark.

 

See also

Useful information on CHAP
https://www.ietf.org/rfc/rfc1994.txt

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClcHCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language