https://live.paloaltonetworks.com/t5/general-topics/fips-cc-security-functions-can-you-trust-pan-documentation/m-p/510783#M106268 <P>I have to disagree with you a bit here.&nbsp; If PAN classifies MS-CHAPv2 as insecure, it should have listed PAP as well because PAP is the least secure method, even worse than MS-CHAPv2.&nbsp; PAP not only sends password (encrypted with weak encryption) along with username in clear-text over the wire.&nbsp; MS-CHAPv2 does not do that.&nbsp; And yet, PAP is available in FIPS-CC mode.&nbsp; Go figure.</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 04 Aug 2022 14:45:32 GMT dtran 2022-08-04T14:45:32Z https://live.paloaltonetworks.com/t5/general-topics/fips-cc-security-functions-can-you-trust-pan-documentation/m-p/510056#M106152 <P>According to PAN documentation:&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/certifications/fips-cc-security-functions" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/certifications/fips-cc-security-functions</A></P> <P>&nbsp;</P> <P>MS-CHAPv2 is not compatible with FIPS-CC mode. It is recommended to use RADIUS with TLS.</P> <P>&nbsp;</P> <P>However, in my test with my PAN-820 in FIPs mode, it works perfectly with RADIUS PEAP with MSCHAP-v2.</P> <P>&nbsp;</P> <P>Can you even trust PAN documentation?</P> Wed, 27 Jul 2022 15:05:19 GMT https://live.paloaltonetworks.com/t5/general-topics/fips-cc-security-functions-can-you-trust-pan-documentation/m-p/510056#M106152 dtran 2022-07-27T15:05:19Z https://live.paloaltonetworks.com/t5/general-topics/fips-cc-security-functions-can-you-trust-pan-documentation/m-p/510764#M106262 <P>that seems a bit combative <span class="lia-unicode-emoji" title=":face_with_tongue:">😛</span></P> <P>maybe the documentation could do with a little rewording, or the protocol could be removed from configuration options</P> <P>&nbsp;</P> <P>FIPS-CC classifies MS-CHAPv2 as insecure, but this should not mean the protocol becomes unusable. The <STRONG><EM>recommendation</EM></STRONG> is to use a more secure alternative</P> Thu, 04 Aug 2022 10:15:42 GMT https://live.paloaltonetworks.com/t5/general-topics/fips-cc-security-functions-can-you-trust-pan-documentation/m-p/510764#M106262 reaper 2022-08-04T10:15:42Z https://live.paloaltonetworks.com/t5/general-topics/fips-cc-security-functions-can-you-trust-pan-documentation/m-p/510783#M106268 <P>I have to disagree with you a bit here.&nbsp; If PAN classifies MS-CHAPv2 as insecure, it should have listed PAP as well because PAP is the least secure method, even worse than MS-CHAPv2.&nbsp; PAP not only sends password (encrypted with weak encryption) along with username in clear-text over the wire.&nbsp; MS-CHAPv2 does not do that.&nbsp; And yet, PAP is available in FIPS-CC mode.&nbsp; Go figure.</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 04 Aug 2022 14:45:32 GMT https://live.paloaltonetworks.com/t5/general-topics/fips-cc-security-functions-can-you-trust-pan-documentation/m-p/510783#M106268 dtran 2022-08-04T14:45:32Z