RADIUS Authentication after Upgrade to PAN OS 7.1.0 from 6.1.X
Symptom
Resolution
- As soon as any Global Protect user tries to connect to the portal and gateway, the RADIUS server silently drops the access request packets sent by the firewall.
>Authd logs from the firewall
=============================================================================================
PA-3020(active)> tail follow yes tail follow yes mp-log authd.log
2016-04-08 12:36:31.734 -0700 debug: pan_authd_radius_create_req_payload(pan_authd_radius.c:178): request type (CHAP or PAP) has not determined yet, authd tries to send CHAP request to RADIUS server 10.1.0.20 now
2016-04-08 12:36:31.734 -0700 debug: pan_authd_radius_create_req_payload(pan_authd_radius.c:191): username: aserl
2016-04-08 12:36:31.734 -0700 debug: pan_make_radius_request_buf(pan_authd_radius_prot.c:404): RADIUS request type: CHAP
2016-04-08 12:36:35.712 -0700 debug: cfgagent_doop_callback(pan_cfgagent.c:502): received signal to execute for agent: authd
2016-04-08 12:36:35.713 -0700 debug: pan_authd_show_user_auth_stat_internal(pan_auth_ops.c:998): Got last
pan_auth_cache_get_vsys_domain_sso_id(pan_auth_cache_authprof_n_authseqprof.c:135): prof "Radius Profile", vsys "vsys1" has sso hash table id: 0 (0 means no or invalid keytab)
2016-04-08 12:37:02.820 -0700 debug: pan_auth_request_process(pan_auth_state_engine.c:1647): Trying to authenticate: <profile: "Radius Profile", vsys: "vsys1", username "aserl">
2016-04-08 12:37:02.820 -0700 debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1121): Authenticating user "aserl" with <profile: "Radius Profile", vsys: "vsys1">
2016-04-08 12:37:02.820 -0700 debug: pan_authd_radius_create_req_payload(pan_authd_radius.c:178): request type (CHAP or PAP) has not determined yet, authd tries to send CHAP request to RADIUS server 10.1.0.20 now
2016-04-08 12:37:02.820 -0700 debug: pan_authd_radius_create_req_payload(pan_authd_radius.c:191): username: aserl
2016-04-08 12:37:02.820 -0700 debug: pan_make_radius_request_buf(pan_authd_radius_prot.c:404): RADIUS request type: CHAP
2016-04-08 12:37:33.873 -0700 debug: auth_svr_timeout_sent_request(pan_auth_svr.c:287): CHAP timeout & retry: authd id=298, username=aserl, protocol req id=1, retries=1 (svr ctxt timeout_in_sec 30, max_retries 5) (req elapsed 31 secs; max allowed 40 secs)
2016-04-08 12:37:38.873 -0700 debug: pan_auth_response_process(pan_auth_state_engine.c:2424): auth status: auth timed out
2016-04-08 12:37:38.874 -0700 debug: _log_auth_respone(pan_auth_server.c:243): Sent FAILED auth response for user 'aserl' (exp_in_days=0 (-1 never; 0 within a day))
2016-04-08 12:38:08.874 -0700 debug: pan_auth_response_process(pan_auth_state_engine.c:2424): auth status: auth timed out
2016-04-08 12:38:08.874 -0700 debug: pan_auth_response_process(pan_auth_state_engine.c:2591): Auth FAILED for user "aserl" thru <"Radius Profile", "vsys1">: remote server 10.1.0.20 of server profile "Radius" is down, or in retry interval, or request timed out (elapsed time 66 secs, max allowed 40 secs)
>Logs from the RADIUS server :
=============================================================================================
2016-04-08T17:09:47.067480Z|0|5004|5020|prfad|Event 2.
2016-04-08T17:09:47.067480Z|0|5004|5020|prfad|Sock 0x000000000000014C
2016-04-08T17:09:47.067480Z|0|5004|5020|pfrad|Code 1 - ACCESS_REQUEST.
2016-04-08T17:09:47.067480Z|e|5004|5020|pfrad|Received invalid ACCESS_REQUEST packet. Dropping packet.
2016-04-08T17:09:47.067480Z|e|5004|5020|pfrad|processIncomingPacket failed.
Since the firewall was not getting any success or challenge response for the query as the RADIUS server was dropping the packets and the fall-back to PAP authentication was not happening, which caused the issue.
The RADIUS server was configured like --- user enter credentials on the GlobalProtect client software and will receive a call via cell phone asking to press # for confirmation; hence the timeout is configured more ( 30-40 seconds ).
--If the sever is only configured to use PAP authentication use the below command to address these type of issues
>set authentication radius-auth-type pap
This command will be persistent across reboots, but not across software updates
After this command the user got successfully connected to the GP
Authd logs
=====================
2016-04-08 13:39:49.991 -0700 debug: pan_authd_radius_create_req_payload(pan_authd_radius.c:191): username: aserl
2016-04-08 13:40:09.986 -0700 debug: pan_make_radius_request_buf(pan_authd_radius_prot.c:412): RADIUS request type: PAP
2016-04-08 13:40:13.151 -0700 debug: pan_authd_radius_parse_resp_payload(pan_authd_radius.c:241): resp_code = RAD_ACCESS_ACCEPT
2016-04-08 13:40:13.151 -0700 debug: pan_auth_service_recv_response(pan_auth_service_handle.c:1202): Got response for user: "aserl"
2016-04-08 13:40:13.151 -0700 debug: pan_auth_response_process(pan_auth_state_engine.c:2424): auth status: auth success
Thank you.