11-29-2017 02:15 PM
We had purchased a pair of 850s to replace a pair of 3020s. Over the weekend I had put the 850s into place and we immediately saw problems with clients authenticating to our radius server behind the 850. We're working with PA support but they seem fairly insistent that there is no problem with the 850s. A bit of background:
We have cell phones, laptops, and network gear such as switches authenticating to radius. Cell phones use cert based auth over TLS, Laptops use PEAP with their windows computer domain credentials, and the switches mainly use PEAP with EAP-MSCHAP v2 and windows user credentials. The radius server is a Windows Server 2008R2 running NPS.
When the 3020s are in place, everything hums along just fine. When the 850s are in place, only cell phones can authenticate properly. Neither laptops or switches can log in. However laptops at our corporate campus have no problems as they don't traverse the PA to authenticate with Radius. So initially I thought, well I'll just disable radius at corporate and we'll authenticate against our backup radius server offsite which is behind a PA220. Remote clients appeared to work, but then our corporate clients could not authenticate.
Looking at the packet captures from a good auth over the 3020 from a bad auth over an 850, the only noticeable difference is on the bad auth, You see Access-Request, Duplicate request over and over again, and then it times out after 15 seconds.
Like I said support is pretty stuck on it being a radius problem, despite it working fine when we revert to the 3020s. The 850s are just directly imported configs from the 3020s, and we even went through line by line on the config to see if anything changed unexpectedly and didn't come up with anything there.
The 850s were initially on 8.0.2, i tried 8.0.5 but the problem persisted. 8.0.6 is out for them and I'll likely try that next if I don't hear anything else on this.
Any suggestions would be greatly appreciated, thanks
11-30-2017 12:11 PM
I'm guessing you were actually running into this bug, which got addressed with 8.0.6 PAN-84087.
11-30-2017 11:52 AM
Is it safe to assume that your PA-3020s were not running 8.0?
11-30-2017 12:01 PM
That's correct, running 7.1.7.
I did have some promising luck testing just a little bit ago. While still on 8.0.5, I initially lowered the MTU to 1300 and the traffic started passing like normal. So I backed the MTU down from 1492 by 8 until I got it working at 1448.
I then removed the 1448 MTU, and upgraded to 8.0.6. When the firewall came back up my remote switch was able to authenticate without any issue.
Unfortunately I'm in a change blackout now until the second week of December, so I won't be able to put them back in to production until then and know for sure. At this point I'd rather not mess with MTU's if I don't need to, so I'll likely roll with 8.0.6 on them.
11-30-2017 12:11 PM
I'm guessing you were actually running into this bug, which got addressed with 8.0.6 PAN-84087.
11-06-2019 10:03 AM
I see this is an old thread, found it searching, I have a similar setup except I'm on a newer pan-os 8.1.10 and I have a pa820, with the same setup for the radius running on our nps 2012r2 box, I tried to follow the pan docs on setting up https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-new-features/authentication-features/eap-support...
When I swiched to peap-mschapv2 in the nps and the pa820, I get errors on the system log "GlobalProtect portal user authentication failed Android 9, Reason: client cert not present" and seem to only work with pap which I wanted to go away with and start using peap-mschapv2.
I'm using a internal CA made cert on the pan, which I installed on the nps server also. I was gonna open a ticket with support but I figured I'd ask here first, thanks in advanced for any pointers.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
