topic Authentication Radius doesn't work after upgrade firmware to 10.2.2 in GlobalProtect Discussions

Authentication Radius doesn't work after upgrade firmware to 10.2.2

Ots-network — Wed, 06 Jul 2022 09:40:37 GMT

Hi everyone,

on PA-220 I've update firmware version from 10.1.5h1 to 10.2.2.

We have globalprotect work with Radius Authentication with protocol PEAP-MSCHAPv2.

After the upgrade it doesn't work anymore. (it works with other protocol, like PAP).

Certificates are ok, nothing changed.
We've already tried to change radius server without success.
This is the error:

test authentication authentication-profile vpn-radius username ots50025 password
Enter password :

Target vsys is not specified, user "ots50025" is assumed to be configured with a shared auth profile.

Do allow list check before sending out authentication request...
user "xxxxxxx\ots50025" is a member of allowed group "cn=vpn-cisco-ch,ou=permission groups,dc=xxxxxx,dc=local" on vsys "vsys1"
Egress: No service source route is set, might use destination source route if configured
Test authentication to RADIUS server 10.2.20.55:1812 for user: "ots50025" using protocol: PEAP with MSCHAPv2
Failed EAPOL auth (-1).
Response for user: "ots50025" from RADIUS server: "protocol version"
Authentication failed against RADIUS server at 10.2.20.55:1812 for user "ots50025"

Any ideas?
It's not among know issues of the new version.

Thanks to everyone.

Re: Authentication Radius doesn't work after upgrade firmware to 10.2.2

Ots-network — Wed, 06 Jul 2022 12:18:26 GMT

UPDATE:

we've opened a tk to palo alto support, they suggest us to try with a radius server Win2022. and it works.
Waiting for some more explanation and to know if they will fix the issue with some new release.

Re: Authentication Radius doesn't work after upgrade firmware to 10.2.2

BPry — Thu, 07 Jul 2022 21:19:26 GMT

@Ots-network,

What version of Windows Server are you currently running? I haven't run into this issue in my lab where I have 10.2 still going through validation, but those are connecting to Server 2022 and Server 2019 installs.

Re: Authentication Radius doesn't work after upgrade firmware to 10.2.2

Ots-network — Mon, 25 Jul 2022 14:33:57 GMT

Hello BPry,

sorry for the delate but i was on holiday.
At this moment we are still waiting for an answer from Palo Alto.

Now we are working with a 2022 Radius.

The answer from PA was simply: chiper suite is different in 10.2

but if we check online 10.2 and 10.1 chiper suite are the same.

https://docs.paloaltonetworks.com/compatibility-matrix/supported-cipher-suites/cipher-suites-supported-in-pan-os-10-2/cipher-suites-supported-in-pan-os-10-2-decryption#idf5ea9a25-3f5c-47d7-90f7-51c7a93696b4

https://docs.paloaltonetworks.com/compatibility-matrix/supported-cipher-suites/cipher-suites-supported-in-pan-os-10-1/cipher-suites-supported-in-pan-os-10-1-decryption

At this point they asked us to send the certificate and now we are waiting since 10 days.
No news.

About your question we had 2008 and a 2016 radius. Unfortunately we can't test 2019 at this moment.

Re: Authentication Radius doesn't work after upgrade firmware to 10.2.2

ExternalSupport — Tue, 22 Nov 2022 12:56:06 GMT

Hello,

Did you received any updates on this case ?
We are facing the same issue with radius server in 2016.

Regards

Re: Authentication Radius doesn't work after upgrade firmware to 10.2.2

PedroLopez — Wed, 23 Nov 2022 21:52:24 GMT

Hello,

I'm having the same issue with NPS installed on windows 2019 Datacenter. After upgrading to 10.2.3 MSCHAPv2 authentication stopped working. PAP is working with no issues.

admin@PA-220> test authentication authentication-profile "Authentication Profile" username "Username" password
Enter password :

Target vsys is not specified, user "Username" is assumed to be configured with a shared auth profile.

Do allow list check before sending out authentication request...
name "Username" is in group "all"

Egress: No service source route is set, might use destination source route if configured
Test authentication to RADIUS server X.X.X.X:1812 for user: "Username" using protocol: PEAP with MSCHAPv2
Failed EAPOL auth (3).
Authentication failed against RADIUS server at X.X.X.X:1812 for user "Username"

Authentication failed for user "Username"

admin@PA-220>

Re: Authentication Radius doesn't work after upgrade firmware to 10.2.2

ExternalSupport — Thu, 24 Nov 2022 07:37:20 GMT

Hello,

Thank you for those details, it shows the fact that even a windows 2019 is not sufficient.

On our side, we tried updating palo from 10.1.8 to 10.2.2-h2 (the actual preferred palo support release).
We can't see any authentication logs on the server radius side when a user try to connect through GP.

Regards

Re: Authentication Radius doesn't work after upgrade firmware to 10.2.2

BKRogers — Thu, 05 Jan 2023 17:56:10 GMT

So I have been working through this some. I have a Microsoft NPS radius server that worked fine with 10.1, but upon upgrading to 10.2 RADIUS authentications have failed.

It appears to be the TLS version which is causing the problem. By default my NPS server only uses TLS 1.0, but 10.2 requires a minimum of TLS 1.1, and I have only got it working with TLS 1.2.

To enabled TLS 1.2 on NPS I had to add a registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13
Dword called TlsVersion

Value is a hex OR of

TLS 1.0 0xC0

TLS 1.1 0x300

TLS 1.2 0xC00

So the downside I am finding, I have to enable TLS 1.2 which gets 10.2 working, but then it breaks my 10.1 firewalls.

Even when I use the value 0xF30

Re: Authentication Radius doesn't work after upgrade firmware to 10.2.2

kfrankovich — Mon, 12 Jun 2023 04:12:23 GMT

Greetings everyone,

I had this same issue and found a different, but related solution. It appears that in 10.2 the minimum key length for the certificate has been increased to 2048. In 10.1 it was 1024 or lower (I didn't test but I know 1024 worked).

If you use an internal PKI that was seutp a while ago and just used the default certificate template for IAS and RAS, it is setup a minimum key length of 1024.

I had to modify the template and reissue all the certificates. With no other changes this solved my issue.

Re: Authentication Radius doesn't work after upgrade firmware to 10.2.2

kfrankovich — Mon, 12 Jun 2023 04:14:48 GMT

I should have specified I am talking about the certificate configured in NPS for PEAP (The Constraints tab, Authentication Methods, Microsoft: Protected EAP (PEAP)