RADIUS Authentication after Upgrade to PAN OS 7.1.0 from 6.1.X

RADIUS Authentication after Upgrade to PAN OS 7.1.0 from 6.1.X

21502
Created On 09/25/18 19:49 PM - Last Modified 06/12/23 10:34 AM


Symptom


Symptoms

Issue

  • RADIUS server drops packets, as it was configured to support only PAP authentication. 
  • The following command gives no output, only waits for a response from the RADIUS server.

PA-3020(active)> test authentication authentication-profile "Radius Profile" username aserl password
Enter password :

Diagnosis

  • Before PAN OS 7.0.0, PAP was the only authentication type recognized while using RADIUS authentication.
  • The RADIUS server was configured in such a way that it responds to only PAP requests.
  • At PAN-OS 6.1.x, the Palo Alto Networks firewall sends only PAP-type requests, which changed to try CHAP first after the upgrade, and which caused the issue.

Resolution


  • As soon as any Global Protect user tries to connect to the portal and gateway, the RADIUS server silently drops the access request packets sent by the firewall. 

 

>Authd logs from the firewall

=============================================================================================

 

PA-3020(active)> tail follow yes tail follow yes mp-log authd.log


2016-04-08 12:36:31.734 -0700 debug: pan_authd_radius_create_req_payload(pan_authd_radius.c:178): request type (CHAP or PAP) has not determined yet, authd tries to send CHAP request to RADIUS server 10.1.0.20 now
2016-04-08 12:36:31.734 -0700 debug: pan_authd_radius_create_req_payload(pan_authd_radius.c:191): username: aserl
2016-04-08 12:36:31.734 -0700 debug: pan_make_radius_request_buf(pan_authd_radius_prot.c:404): RADIUS request type: CHAP

2016-04-08 12:36:35.712 -0700 debug: cfgagent_doop_callback(pan_cfgagent.c:502): received signal to execute for agent: authd
2016-04-08 12:36:35.713 -0700 debug: pan_authd_show_user_auth_stat_internal(pan_auth_ops.c:998): Got last 
pan_auth_cache_get_vsys_domain_sso_id(pan_auth_cache_authprof_n_authseqprof.c:135): prof "Radius Profile", vsys "vsys1" has sso hash table id: 0 (0 means no or invalid keytab)

2016-04-08 12:37:02.820 -0700 debug: pan_auth_request_process(pan_auth_state_engine.c:1647): Trying to authenticate: <profile: "Radius Profile", vsys: "vsys1", username "aserl">

2016-04-08 12:37:02.820 -0700 debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1121): Authenticating user "aserl" with <profile: "Radius Profile", vsys: "vsys1">
2016-04-08 12:37:02.820 -0700 debug: pan_authd_radius_create_req_payload(pan_authd_radius.c:178): request type (CHAP or PAP) has not determined yet, authd tries to send CHAP request to RADIUS server 10.1.0.20 now
2016-04-08 12:37:02.820 -0700 debug: pan_authd_radius_create_req_payload(pan_authd_radius.c:191): username: aserl
2016-04-08 12:37:02.820 -0700 debug: pan_make_radius_request_buf(pan_authd_radius_prot.c:404): RADIUS request type: CHAP

2016-04-08 12:37:33.873 -0700 debug: auth_svr_timeout_sent_request(pan_auth_svr.c:287): CHAP timeout & retry: authd id=298, username=aserl, protocol req id=1, retries=1 (svr ctxt timeout_in_sec 30, max_retries 5) (req elapsed 31 secs; max allowed 40 secs)

2016-04-08 12:37:38.873 -0700 debug: pan_auth_response_process(pan_auth_state_engine.c:2424): auth status: auth timed out
2016-04-08 12:37:38.874 -0700 debug: _log_auth_respone(pan_auth_server.c:243): Sent FAILED auth response for user 'aserl' (exp_in_days=0 (-1 never; 0 within a day))
2016-04-08 12:38:08.874 -0700 debug: pan_auth_response_process(pan_auth_state_engine.c:2424): auth status: auth timed out
2016-04-08 12:38:08.874 -0700 debug: pan_auth_response_process(pan_auth_state_engine.c:2591): Auth FAILED for user "aserl" thru <"Radius Profile", "vsys1">: remote server 10.1.0.20 of server profile "Radius" is down, or in retry interval, or request timed out (elapsed time 66 secs, max allowed 40 secs)
 

 

>Logs from the RADIUS server :

=============================================================================================

 

2016-04-08T17:09:47.067480Z|0|5004|5020|prfad|Event 2.
2016-04-08T17:09:47.067480Z|0|5004|5020|prfad|Sock 0x000000000000014C
2016-04-08T17:09:47.067480Z|0|5004|5020|pfrad|Code 1 - ACCESS_REQUEST.
2016-04-08T17:09:47.067480Z|e|5004|5020|pfrad|Received invalid ACCESS_REQUEST packet. Dropping packet.
2016-04-08T17:09:47.067480Z|e|5004|5020|pfrad|processIncomingPacket failed.

 

Since the firewall was not getting any success or challenge response for the query as the RADIUS server was dropping the packets and the fall-back to PAP authentication was not happening, which caused the issue.

 

The RADIUS server was configured like --- user enter credentials on the GlobalProtect client software and will receive a call via cell phone asking to press # for confirmation;  hence the timeout is configured more ( 30-40 seconds ).

 

--If the sever is only configured to use PAP authentication use the below command to address these type of issues

 

>set authentication radius-auth-type pap

 

 This command will be persistent across reboots, but not across software updates

 

After this command the user got successfully connected to the GP

 

Authd logs

=====================

2016-04-08 13:39:49.991 -0700 debug: pan_authd_radius_create_req_payload(pan_authd_radius.c:191): username: aserl
2016-04-08 13:40:09.986 -0700 debug: pan_make_radius_request_buf(pan_authd_radius_prot.c:412): RADIUS request type: PAP
2016-04-08 13:40:13.151 -0700 debug: pan_authd_radius_parse_resp_payload(pan_authd_radius.c:241): resp_code = RAD_ACCESS_ACCEPT
2016-04-08 13:40:13.151 -0700 debug: pan_auth_service_recv_response(pan_auth_service_handle.c:1202): Got response for user: "aserl"
2016-04-08 13:40:13.151 -0700 debug: pan_auth_response_process(pan_auth_state_engine.c:2424): auth status: auth success

 

 

 

Thank you.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClePCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language