RADIUS Authentication Still Prompts for Password Change

L0 Member

RADIUS Authentication Still Prompts for Password Change

I have a stand-alone system which is utilizing two Palo Alto 220 Firewalls. As part of this system, I have RADIUS policies configured on a Windows server to provide domain-admin access to the device. On one PA220 I am able to login with my domain credentials and access the device without issue. On the other PA220 I am able to login with domain credentials as well. However, once logged in I am brought to a page that prompts me to change my password. It has a field for Old Password, New Password and New Password verification. I am not able to navigate beyond this prompt. If I try to submit the form without inputting any values it errors saying "password required." If I submit the form with appropriate values (old password and a new password) it errors saying "Cannot change password for remote users."

What could be causing this to occur? I know my RADIUS is working as it should and the two PA220's are configured identically despite one functioning and the other not.

I still have a local admin account on the device, so I am able to make changes, I just don't know what needs to be changed (local admin account is not being prompted to change password).


Things I have tried:

Compared the "working" PA220 to the "non-working" PA220

Looked through device settings for misconfigurations

Ensured "change password at first login" has been disabled

Deleted authentication profiles and re-added them

Deleted users and re-added them

Committing changes

Rebooting device



Any advice/suggestion would be greatly appreciated!


L5 Sessionator

Re: RADIUS Authentication Still Prompts for Password Change

Can you export the configuration on "bad" one, and import it onto "good" firewall.


use the Config Audit functionality to definitely compare side by side (vs eye balling it..   to see where the change it)


Just an idea besides prayer. 

Help the community: Like helpful comments and mark solutions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!