topic RADIUS flows for Authenticating GP with username, password and OTP in GlobalProtect Discussions https://live.paloaltonetworks.com/t5/globalprotect-discussions/radius-flows-for-authenticating-gp-with-username-password-and/m-p/1242937#M7153 <P>Hello,</P> <P>I have a working GP configuration that uses client certificate, username and password for authentication, with the username and password validated using PEAP-MSCHAPv2 against a RADIUS server.</P> <P>I want to add an OTP challenge as described at&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm8ICAS," target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm8ICAS,</A>&nbsp;for the on demand mode and using RADIUS.</P> <P>Related documents describe how to configure the Auth Profile. But it is unclear to me what the RADIUS server needs to do to activate the challenge. A number of sources indicate that after the MSCHAP succeeds, the RADIUS server needs to send an Access-Challenge, but it is unclear if this needs to be inside or outside the EAP context setup for EAP-MSCHAP. Once the challenge has been requested, it is then unclear how the PA as a RADIUS client responds, eg. with PAP or EAP-GTC.<BR />Does anyone have a working setup like this and can share details of how the RADIUS server needs to respond?</P> <P>Target is the PA3220 but I'm initially testing on a PA-VM, all running 11.1.10-h1.</P> <P>Thanks.</P> Tue, 02 Dec 2025 04:52:52 GMT DanielKirkham 2025-12-02T04:52:52Z RADIUS flows for Authenticating GP with username, password and OTP https://live.paloaltonetworks.com/t5/globalprotect-discussions/radius-flows-for-authenticating-gp-with-username-password-and/m-p/1242937#M7153 <P>Hello,</P> <P>I have a working GP configuration that uses client certificate, username and password for authentication, with the username and password validated using PEAP-MSCHAPv2 against a RADIUS server.</P> <P>I want to add an OTP challenge as described at&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm8ICAS," target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm8ICAS,</A>&nbsp;for the on demand mode and using RADIUS.</P> <P>Related documents describe how to configure the Auth Profile. But it is unclear to me what the RADIUS server needs to do to activate the challenge. A number of sources indicate that after the MSCHAP succeeds, the RADIUS server needs to send an Access-Challenge, but it is unclear if this needs to be inside or outside the EAP context setup for EAP-MSCHAP. Once the challenge has been requested, it is then unclear how the PA as a RADIUS client responds, eg. with PAP or EAP-GTC.<BR />Does anyone have a working setup like this and can share details of how the RADIUS server needs to respond?</P> <P>Target is the PA3220 but I'm initially testing on a PA-VM, all running 11.1.10-h1.</P> <P>Thanks.</P> Tue, 02 Dec 2025 04:52:52 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/radius-flows-for-authenticating-gp-with-username-password-and/m-p/1242937#M7153 DanielKirkham 2025-12-02T04:52:52Z