Global Protect, Radius, SecurEnvoy, question

ktruex99 — Fri, 28 Apr 2017 17:48:28 GMT

We had a strange issue with our 2Factor breaking this week, logs looked to be showing a radius auth MD5 missmatch. Between PAN 3020 and SecurEnvoy.

During that time we had to many hands on the issue, and feel the team made it worse...

So some back ground,

We have a 3020 current as our vpn using radius for user auth, that connection/password then passes threw a Foritgate 300c, then to SecurEnvoy.

When I saw the logs, it looked as if the PAN and SecurEnvory had a shared password mismatch. During the trouble shooting, we changed the pan's and securenvoy shared password "only, not on the foritgate", restarted services, etc.

But still no go... get Access-Rejected.

But if I used the Foritgate vpn using the 2 factor/securenvoy I auth and have access, crappy part the company has no knowledge of that password "Im the new guy cleaning up the mess"

I have both the MGT and Inside IP as a client on securenvoy, and the forigate IP. But the PAN/SecurEnvoy have matching shared keys. And the Foritgate/SecurEnvoy use a different shared key.

And this doesnt seem to be access issue, as I can use LDAP with no problem, but in my gut I feel that we need to have the same shared key on PAN, Forigate, SecurEnvoy inorder to decrypt correctly the shared key?

Does this seem like Im on the right track? Should my shared key be the same between the 3020, 300C, and SecurEnvoy?

Re: Global Protect, Radius, SecurEnvoy, question

BPry — Fri, 28 Apr 2017 20:11:48 GMT

From the brief overview of your enviroment then you would be correct, the three devices really should be using a known pre-shared to get things to function correctly. You shouldn't really cause any issues changing the entire paths shared-key at all either.

topic Global Protect, Radius, SecurEnvoy, question in General Topics

Global Protect, Radius, SecurEnvoy, question

Re: Global Protect, Radius, SecurEnvoy, question