Clientless GP Authentication failing using EAP on RAIDUS Server

Clientless GP Authentication failing using EAP on RAIDUS Server

18666
Created On 05/10/21 20:33 PM - Last Modified 08/05/21 17:52 PM


Symptom


  • GlobalProtect Clientless VPN configured to authenticate via Extensible Authentication Protocol (EAP) for RADIUS
  • Certificate error's when looking at the authd.log from the Firewall CLI
2021-05-10 16:58:48.745 +0800 Error:  EapolStatusCb(pan_auth_eapol.c:998): (AId:6751996388145100014) Certificate error (unable to get local issuer certificate).
2021-05-10 16:58:48.745 +0800 Error:  EapolStatusCb(pan_auth_eapol.c:998): (AId:6751996388145100014) Certificate error (unknown CA).
2021-05-10 16:58:48.745 +0800 debug: mark_success(pan_auth_eapol.c:334): (AID:6751996388145100014) failed


 

Environment


  • PAN-OS
  • GlobalProtect Clientless VPN
  • Authentication via Extensible Authentication Protocol (EAP) for RADIUS
  • Windows Server 2008

Cause


The firewall is not able to validate the certificate configured for EAP on the RADIUS Server.

 


 

Resolution


Verify the certificate configured for EAP on the RADIUS Server is the same one configured on the Palo Alto Firewall.

Additional Information


Extensible Authentication Protocol (EAP) Support for RADIUS


Installing Certificate for (EAP) Extensible Authentication Protocol on Radius server

www.entrust.com/knowledgebase/ssl/how-is-the-server-certificate-installed-on-microsoft-network-policy-server-nps-on-windows-2008-server

Note:  This article is written for informational purposes only. Palo Alto Networks does not support any third-party operating systems.
  1. Get the Radius server certificate either from the third party certificate authority or generate the server certificate from the firewall.
  2. Install the certificate with the private key in personal certificate store local to the windows machine.
  3. Type administrative tool and open it
  4. Open Network policy server,
User-added image
  1. Click on Network Policies and select the policy created for user authenticate for palo alto firewall. Example
User-added image
  1. Right click on properties, in the below example right click on palo and click on properties
  2. Click on Constraints->Authentication Methods

User-added image
  1. Edit the Microsoft: Protected EAP( PEAP)
  2. Select the correct server certificate which this radius server should present when any device tries to access this radius server.

User-added image
  1. Click OK
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oM5rCAE&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language