https://live.paloaltonetworks.com/t5/next-generation-firewall/potential-issue-with-radius-traffic-passed-through-palo-devices/m-p/1219991#M5521 <P>I was wondering how u overcome this issue.</P> <P>Have the same problem with a remote site that needs to access the radius server over Site to site VPN.</P> <P>No radius traffic seen on Palo alto at the remote site.</P> <P>Checked this article</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClLPCA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClLPCA0 </A></P> <P>and almost sure that Palo Alto (440) drops the packets due MTU size.</P> <P>&nbsp;</P> Tue, 11 Feb 2025 09:30:47 GMT Pieter-Janssens 2025-02-11T09:30:47Z https://live.paloaltonetworks.com/t5/next-generation-firewall/potential-issue-with-radius-traffic-passed-through-palo-devices/m-p/598070#M3753 <P>Hi all,&nbsp;</P> <P>There is a good chance this is not in fact a firewall issue at all.</P> <P>But I just wanted to ask people who have more experience than me.&nbsp;</P> <P>Has anyone experienced an issue where despite RADIUS traffic being passed through a Palo appliance successfully, RADIUS authentication has still failed?</P> <P>The scenario I describe is from Meraki AP's to a windows NPS server on another network. I suspect the issue is with the RADIUS configuration, but just wanted to check.&nbsp;</P> <P>&nbsp;</P> <P>Thank you.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 18 Sep 2024 04:38:54 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/potential-issue-with-radius-traffic-passed-through-palo-devices/m-p/598070#M3753 BPSoftware 2024-09-18T04:38:54Z https://live.paloaltonetworks.com/t5/next-generation-firewall/potential-issue-with-radius-traffic-passed-through-palo-devices/m-p/598080#M3755 <P>is this a consistent issue or does it happen randomly?</P> <P>you could set up packet-diag filters and packetcapture between 2 hosts for radius connections (bidirectional) to see if anything weird is popping up in the global counters, or any packets are getting moved around by the firewall between ingress and egress</P> Wed, 18 Sep 2024 07:49:53 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/potential-issue-with-radius-traffic-passed-through-palo-devices/m-p/598080#M3755 reaper 2024-09-18T07:49:53Z https://live.paloaltonetworks.com/t5/next-generation-firewall/potential-issue-with-radius-traffic-passed-through-palo-devices/m-p/598179#M3761 <P>Hello,</P> <P>I have several types of radius setup flowing through a Palo Alto, no issues, If you think there is an issue, as Reaper mentioned perform a pcap and look at the traffic logs to see if anything was denied. The Palo Alto does not 'change or modify' the packets.</P> <P>&nbsp;</P> <P>Regards,</P> Wed, 18 Sep 2024 18:27:32 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/potential-issue-with-radius-traffic-passed-through-palo-devices/m-p/598179#M3761 OtakarKlier 2024-09-18T18:27:32Z https://live.paloaltonetworks.com/t5/next-generation-firewall/potential-issue-with-radius-traffic-passed-through-palo-devices/m-p/598214#M3766 <P>Hi everyone, thank you for the replies its much appreciated.&nbsp;</P> <P>&nbsp;</P> <P>We have narrowed the issue down to my old nemesis MTU size. Correct me if I'm wrong but Palo Alto firewalls like most devices, use 1500 by default, right? I've never specified one previously. Seems like they are fragmenting anything over 1000. Very odd.&nbsp;</P> Thu, 19 Sep 2024 00:09:26 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/potential-issue-with-radius-traffic-passed-through-palo-devices/m-p/598214#M3766 BPSoftware 2024-09-19T00:09:26Z https://live.paloaltonetworks.com/t5/next-generation-firewall/potential-issue-with-radius-traffic-passed-through-palo-devices/m-p/1219991#M5521 <P>I was wondering how u overcome this issue.</P> <P>Have the same problem with a remote site that needs to access the radius server over Site to site VPN.</P> <P>No radius traffic seen on Palo alto at the remote site.</P> <P>Checked this article</P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClLPCA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClLPCA0 </A></P> <P>and almost sure that Palo Alto (440) drops the packets due MTU size.</P> <P>&nbsp;</P> Tue, 11 Feb 2025 09:30:47 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/potential-issue-with-radius-traffic-passed-through-palo-devices/m-p/1219991#M5521 Pieter-Janssens 2025-02-11T09:30:47Z