topic Re: Authentication server option in General Topics

Authentication server option

EddyFonseca — Wed, 12 May 2021 19:30:12 GMT

I have a new Palo Alto 820 and my Radius server is a Juniper running 9.1 . At this time my Cisco and other device use a share key to Authenticate to the Juniper device. On the Palo 820 Pan os 9.1.4 it want me to use the following Auth methods "PEAP-MSCHAPv2, PEAP with GTC, EAP-TTLS with PAP, CHAP, PAP" which I do not use. I want to know how I can get around this issue so we can use the radius server to grant access to the users.

Is there a command line that will send the share key not encrypted.

thank you

Eddy

Re: Authentication server option

OtakarKlier — Thu, 13 May 2021 17:28:59 GMT

Hello,

I cant say there is a work around other than allowing those methods on the Radius server. What is the use case for this? Perhaps we can suggest something else, perhaps ldap authentication?

Regards,

Re: Authentication server option

BPry — Fri, 14 May 2021 03:27:11 GMT

@EddyFonseca,

I actually wrote a commend earlier to this forgetting that PAN-OS even still supported standard PAP authentication. Honestly, I would never really recommend it at this point since the vast majority of devices actually support stronger authentication protocols and have for a while.

With that being said, I actually think you should be able to get this to work by setting up the RADIUS server profile for your Juniper radius-server using PAP. I would strongly recommend following @OtakarKlier's recommendation and actually moving to a secure configuration and not using PAP RADIUS settings.