RADIUS authentication: MS-CHAP v2?

Reply
Highlighted
L3 Networker

RADIUS authentication: MS-CHAP v2?

Currently, my PA-3050 devices (PAN-OS 6.1.12) utilize RADIUS authentication.  I know that this uses the completely unencrypted PAP protocol.

 

I have asked PAN about MS-CHAP v2 support in the past and was told that the device must be placed into FIPS mode in order to gain the ability to do RADIUS authentication over MS-CHAP v2, but by putting a device into FIPS mode you are effectively performing a factory reset.

 

I've always thought that was completely ridiculous.  If the device supports MS-CHAP v2 in FIPS mode, it's clearly capable of using the protocol.  Why not make MS-CHAP v2 available in standard mode as a choice over PAP?


In any case, I've seen that PAN has removed the FIPS mode from newer PAN-OS releases.  As such, is PAN adding MS-CHAP v2 support?  Or are they dropping MS-CHAP v2 support entirely along with the associated FIPS mode?

L7 Applicator

Re: RADIUS authentication: MS-CHAP v2?

v7.0 supports CHAP

https://live.paloaltonetworks.com/t5/Management-Articles/CHAP-preferred-over-PAP-while-sending-RADIU...

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE (3.0, 5.0, 6.0, 7.0), PCNSE (6, 7), PCNSI
L3 Networker

Re: RADIUS authentication: MS-CHAP v2?

Well, I guess it's good that they have finally moved beyond PAP, but it's a shame they aren't using MS-CHAP v2 which is the most secure RADIUS authentication protodcol available.

L3 Networker

Re: RADIUS authentication: MS-CHAP v2?

Hi Scottsander,

 

As CHAP has only just been implemented, I'm sure MS-CHAP v2 is around the corner. I'm sure you could also speak to your account manager to raise this as a Feature request to add in future releases.

 

Thanks

Jack

 

 

L3 Networker

Re: RADIUS authentication: MS-CHAP v2?

I already did that three years ago.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!