Symptom
A configuration from a Palo Alto Networks firewall using RADIUS authentication fails to load into another Palo Alto Networks firewall. The output of the show command in "set" format was used from the source firewall, and an attempt was made to copy that configuration into another firewall.
The following error appears when the extracted configuration is pasted into another firewall's CLI:
invalid syntax. should be less than 64 characters
Cause
The RADIUS secret in the show command output is a hash. This hash is greater than 64 characters, and so the invalid syntax error message appears and the copy fails.
Note: The firewall expects all values to be in clear text. The hash is an invalid value, so the authentication would not work properly even if the copy successfully completed.
Details
In the command below, the value of secret is the clear text password and should be less than 64 characters:
set shared server-profile radius RADIUS1 server RADIUS-SERVER1 secret {value}
<value> Shared secret for radius communication
The following commands set the output format and shows the configuration:
> set cli config-output-format set
> configure
# show
In the output, where the firewall is configured for RADIUS, a line for the RADIUS secret will appear similar to the following:
set shared server-profile radius RADIUS1 server RADIUS-SERVER1 secret -AQ==nmJKggQCBKgkN9YCS7JQhfTuxMQ=GZmosa0zMRZ97vB2KJw7+y7wKYc2k3pXfuFTE7x7hF3=
Due to the length of the above hash, the error message invalid syntax. should be less than 64 characters will be displayed when this configuration copy is pasted into another firewall.
owner: jlunario