PA 10.2.3, RADIUS Challenge caused timeout even it shows auth success on Monitor

koibito92 — Thu, 17 Nov 2022 01:16:20 GMT

Hello All,

I have Palo Alto 10.2.3, and also 10.0.3 as a test. I used RADIUS to authenticate to the admin UI, then the RADIUS server sends a challenge, this is being handled normally by 10.0.3 but 10.2.3 seems to timeout although on Monitor it shows successful. Is this a bug? Can someone help me please this is very urgent. Also if I did want to choose a different authentication scheme this is not handled, seems it only handles 1 factor but two factor doesn't work for some unknown reason here. Below are the logs:

2022-11-17 02:42:23.639 +0200 debug: pan_auth_response_process(pan_auth_state_engine.c:4570): Authentication success: <profile: 'RSA_RADIUS_CLOUD', vsys: 'shared', username 'mdawoud'>
2022-11-17 02:42:23.639 +0200 authenticated for user 'mdawoud'. auth profile 'RSA_RADIUS_CLOUD', vsys 'shared', server profile 'RSA_RADIUS_CLOUD', server address '10.55.55.58', auth protocol 'PAP', reply message 'Authentication succeeded' From: 192.168.100.1.
2022-11-17 02:42:23.639 +0200 debug: _log_auth_respone(pan_auth_server.c:310): Sent PAN_AUTH_SUCCESS auth response for user 'mdawoud' (exp_in_days=-1 (-1 never; 0 within a day))(authd_id: 7166775411576143886) (reply message 'Authentication succeeded') (return domain 'dawoud')
2022-11-17 02:42:29.837 +0200 debug: cfgagent_opcmd_callback(pan_cfgagent.c:520): authd: cfg agent received op command from server
2022-11-17 02:42:29.837 +0200 debug: cfgagent_doop_callback(pan_cfgagent.c:555): received signal to execute for agent: authd
2022-11-17 02:42:29.837 +0200 debug: pan_authd_opcmd_handler(pan_auth_ops.c:1057): Start executing cmd: 'connection_debug_on'
2022-11-17 02:42:29.837 +0200 debug: pan_authd_connection_debug_on(pan_auth_ops.c:232): Got protocol-type (null); connetion-id 4294967295; debug-prefix (null)
2022-11-17 02:42:29.837 +0200 Error: pan_authd_conn_mgmt_enable_debug(pan_authd_conn_mgmt.c:546): Invalid connection context id 33554433 >= total number 2
2022-11-17 02:42:29.837 +0200 debug: _set_ctxt_debug_on(pan_auth_service_handle.c:986): set debug on for conn_id: 33554433 ; server addr: 10.55.55.50:1812 ; method: RADIUS with debug prefix ''
2022-11-17 02:42:29.837 +0200 Error: pan_authd_conn_mgmt_enable_debug(pan_authd_conn_mgmt.c:546): Invalid connection context id 33554434 >= total number 2
2022-11-17 02:42:29.837 +0200 debug: _set_ctxt_debug_on(pan_auth_service_handle.c:986): set debug on for conn_id: 33554434 ; server addr: 10.55.55.50:1812 ; method: RADIUS with debug prefix ''
2022-11-17 02:42:29.837 +0200 debug: pan_authd_conn_mgmt_enable_debug(pan_authd_conn_mgmt.c:558): conn_id=1 is enabled debugging with prefix ''
2022-11-17 02:42:29.837 +0200 debug: _set_ctxt_debug_on(pan_auth_service_handle.c:986): set debug on for conn_id: 1 ; server addr: 10.55.55.58:1812 ; method: RADIUS with debug prefix ''

Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.

Re: PA 10.2.3, RADIUS Challenge caused timeout even it shows auth success on Monitor

koibito92 — Thu, 17 Nov 2022 22:25:08 GMT

We rolled back to 10.1.7 and issue resolved. Did someone report this bug before? I don't see it in Release notes.

topic PA 10.2.3, RADIUS Challenge caused timeout even it shows auth success on Monitor in Next-Generation Firewall Discussions

PA 10.2.3, RADIUS Challenge caused timeout even it shows auth success on Monitor

Re: PA 10.2.3, RADIUS Challenge caused timeout even it shows auth success on Monitor