What is X-Auth support in PAN firewalls and how to troubleshoot it?

What is X-Auth support in PAN firewalls and how to troubleshoot it?

Created On 09/17/20 15:03 PM - Last Modified 01/15/21 18:40 PM

  • What is X-Auth?
  • How to troubleshoot X-auth? 

  • Palo Alto Networks Firewalls running PAN-OS 8.1 and above
  • This assumes the customer has a Globalprotect portal and gateway set up already, and has enabled X-Auth support on the Gateway. This configuration is located at Network >> Gateways >> Agent >> Tunnel Settings >> Enable X-Auth Support
  • It also assumes the customer has configured the 3rd party VPN client application properly. 
User-added image

What is X-Auth and how does it work with the firewall? 
  • Xauth (Extended Authentication within IKE) is what Palo Alto Networks use to support third party VPN software using the Globalprotect Gateway.
  • It allows the third party VPN client to authenticate through the Globalprotect auth profile as part of the IKE negotiation.   
  • IKE V.1 must be used on the 3rd party clients. 
  • Supported IPSec clients: Third-Party VPN Client Support
  • The Palo Alto Network firewall uses the OpenSSL crypto library - Reference: GlobalProtect App Cryptographic Functions
  • The customer sets the crypto configuration in the third party application, and as long as the firewall supports those parameters (and the PSK is correct) IKE phase 1 and 2 should negotiate successfully.
  • Globalprotect IPsec crypto profiles aren't used for the X-auth clients.
  • The end device simply sets up a tunnel between the device itself and the Globalprotect Gateway interface.  
  • Troubleshooting of the tunnel is done much the same way as any IPSec tunnel would be troubleshot. Please refer to below document for a list of available resources.
  • Below is the description of what X-Auth does from IETF website:

   [IKE] allows a device to set up a secure session by using a
   bidirectional authentication method using either pre-shared keys or
   digital certificates.  However [IKE] does not provide a method to
   leverage legacy authentication methods which are widely deployed

   This document describes a method for using existing unidirectional
   authentication mechanisms such as RADIUS, SecurID, and OTP within
   IPsec's ISAKMP protocol.  The purpose of this draft is not to
   replace or enhance the existing authentication mechanisms described
   in [IKE], but rather to allow them to be extended using legacy
   authentication mechanisms.

   This protocol is designed in such a way that extended authentication
   may be accomplished using any mode of operation for phase 1 (i.e.
   Main Mode or Aggressive Mode) as well as any authentication method
   supported by [IKE].  This protocol may also be easily extended to
   support new modes or authentication methods.  This protocol does
   however require that the phase 1 authentication method be fully

  • Print
  • Copy Link


Choose Language