topic Re: Radius Auth Profile with PEAP-MsCHAPv2 in GlobalProtect Discussions

Radius Auth Profile with PEAP-MsCHAPv2

Namalw — Wed, 23 Sep 2020 05:00:55 GMT

Has anyone successfully integrated Radius Auth profile PEAP-MsCHAPv2 with NPS or any other Radius platform?

I have configured my Radius Auth Profile and attached relevant Cert profile to it as per below knowledgebase article.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmkRCAS

However we are unable to establish successful authentication attempt for global protect user on radius auth profile, If I changed the Radius auth type to PAP it works fine.

Below is the NPS setting used shared by team managing NPS

Re: Radius Auth Profile with PEAP-MsCHAPv2

khans — Fri, 25 Sep 2020 23:04:06 GMT

PEAP-MSCHAPv2 to work, a certificate will be required on the domain controller, which needs to be signed by an Internal PKI CA.

As you can see above that my DC01 has a certificate issued by my Root CA SOS.local

On the firewall side, you should have the following configuration:

From the screenshot above, we can see the certificate profile applied "PEAP-Cert", which will have by signing CA and authentication protocol is selected as PEAP-MSCHAPv2

After the config above, you can create an authentication profile with the RADIUS profile above an apply it to your Portal or gateway or both.

Hope that helps!

Re: Radius Auth Profile with PEAP-MsCHAPv2

Ranandaraj — Thu, 08 Jul 2021 17:19:21 GMT

Hi Sakhan,

Im looking at your first screenshot which shows PEAP Properties, you have chosen "Microsoft: Protected EAP (PEAP)" and I was curious to know why you've also checked MSCHAPv2 under the less secure authentication methods. Is there a reason to that. In my setup I do not have anything checked under less secure authentication method and it works as intended.