- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-28-2017 10:48 AM
We had a strange issue with our 2Factor breaking this week, logs looked to be showing a radius auth MD5 missmatch. Between PAN 3020 and SecurEnvoy.
During that time we had to many hands on the issue, and feel the team made it worse...
So some back ground,
We have a 3020 current as our vpn using radius for user auth, that connection/password then passes threw a Foritgate 300c, then to SecurEnvoy.
When I saw the logs, it looked as if the PAN and SecurEnvory had a shared password mismatch. During the trouble shooting, we changed the pan's and securenvoy shared password "only, not on the foritgate", restarted services, etc.
But still no go... get Access-Rejected.
But if I used the Foritgate vpn using the 2 factor/securenvoy I auth and have access, crappy part the company has no knowledge of that password "Im the new guy cleaning up the mess"
I have both the MGT and Inside IP as a client on securenvoy, and the forigate IP. But the PAN/SecurEnvoy have matching shared keys. And the Foritgate/SecurEnvoy use a different shared key.
And this doesnt seem to be access issue, as I can use LDAP with no problem, but in my gut I feel that we need to have the same shared key on PAN, Forigate, SecurEnvoy inorder to decrypt correctly the shared key?
Does this seem like Im on the right track? Should my shared key be the same between the 3020, 300C, and SecurEnvoy?
04-28-2017 01:11 PM
From the brief overview of your enviroment then you would be correct, the three devices really should be using a known pre-shared to get things to function correctly. You shouldn't really cause any issues changing the entire paths shared-key at all either.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!