RADIUS authentication stopped working after PAN-OS upgrade to 10.2

RADIUS authentication stopped working after PAN-OS upgrade to 10.2

1821
Created On 10/16/22 02:02 AM - Last Modified 03/10/25 21:29 PM


Symptom


  • System logs (show log system) report auth failures 
     10:33:54 medium   auth    auth_r auth-fa 0  failed authentication for user 'lab\test'.  Reason: Authentication server certificate verification failed. EAP outer identity 'lab\test', inner identity 'lab\test', auth profile 'auth_radius', vsys 'vsys1', server profile 'srv_prof_radius', server address '192.168.168.10', auth protocol 'PEAP-MSCHAPv2', reply message 'Invalid username or password' From: 10.10.10.10.
  • Authd logs (less mp-log authd.log) report similar failures 
    14:18:20.479 +0200 Error: EapolStatusCb(pan_auth_eapol.c:997): (AId:7143905329200234573) Certificate error (protocol version).
14:18:20.479 +0200 debug: EncapRadius(pan_auth_eapol.c:693): (AId:7143905329200234573) Ignored Encap (Status: -1)
14:18:20.479 +0200 debug: Rad_rx_auth(pan_auth_eapol.c:639): (AId:7143905329200234573) Done with RADIUS (Code: 11).
14:18:20.479 +0200 (AId:7143905329200234573) Done with EAPOL Error: -1
14:18:20.479 +0200 debug: mark_success(pan_auth_eapol.c:333): (AID:7143905329200234573) failed
14:18:20.479 +0200 debug: _doneEap(pan_auth_eapol.c:1609): (AId:7143905329200234573) Enqueuing completion task (Status:-1)
14:18:20.479 +0200 debug: process_eap_completion(pan_auth_eapol.c:1741): **EAP** Number of completion tasks: 0
14:18:20.479 +0200 debug: _doneEap(pan_auth_eapol.c:1619): (AId:7143905329200234573) Enqueued completion task
14:18:20.739 +0200 debug: process_eap_completion(pan_auth_eapol.c:1747): (AId:7143905329200234573) Dequeue completion task
14:18:20.739 +0200 debug: pan_auth_radius_eapol_cb(pan_auth_service_handle.c:1450): RADIUS EAP callback function returns result -1 for user "lab\test"

     

Environment


  • PAN-OS 10.2
  • PEAP-MSCHAPv2
  • Radius Server configured on Windows 2012 R2
     

Cause


  • By default MS EAP on Windows 2012 R2 uses TLS 1.0 only
  • PAN-OS 10.2 only supports TLS 1.2 and 1.3

Resolution


  1. Workaround: Add the below registry value for TLS 1.2 in the server as PAN-OS 10.2 only supports TLS 1.2 and 1.3
  2. Once added the authentication should start working fine.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13 with DWORD value 0xC00 in Win2K12


 

Additional Information


TLS version and respective DWORD value
TLS 1.0 0xC0
TLS 1.1 0x300
TLS 1.2 0xC00

MS security advisory from 2014
 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sZaWCAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail