Global Protect, Radius, SecurEnvoy, question

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Global Protect, Radius, SecurEnvoy, question

L0 Member

We had a strange issue with our 2Factor breaking this week, logs looked to be showing a radius auth MD5 missmatch. Between PAN 3020 and SecurEnvoy.

 

During that time we had to many hands on the issue, and feel the team made it worse...

 

So some back ground,

 

We have a 3020 current as our vpn using radius for user auth, that connection/password then passes threw a Foritgate 300c, then to SecurEnvoy. 

 

When I saw the logs, it looked as if the PAN and SecurEnvory had a shared password mismatch. During the trouble shooting, we changed the pan's and securenvoy shared password "only, not on the foritgate", restarted services, etc.

 

But still no go... get Access-Rejected.

 

But if I used the Foritgate vpn using the 2 factor/securenvoy I auth and have access, crappy part the company has no knowledge of that password "Im the new guy cleaning up the mess"

 

I have both the MGT and Inside IP as a client on securenvoy, and the forigate IP. But the PAN/SecurEnvoy have matching shared keys. And the Foritgate/SecurEnvoy use a different shared key.

 

And this doesnt seem to be access issue, as I can use LDAP with no problem, but in my gut I feel that we need to have the same shared key on PAN, Forigate, SecurEnvoy inorder to decrypt correctly the shared key?

 

 

Does this seem like Im on the right track? Should my shared key be the same between the 3020, 300C, and SecurEnvoy?

1 REPLY 1

Cyber Elite
Cyber Elite

From the brief overview of your enviroment then you would be correct, the three devices really should be using a known pre-shared to get things to function correctly. You shouldn't really cause any issues changing the entire paths shared-key at all either.

  • 1784 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!