06-21-2016 02:20 PM
Currently, my PA-3050 devices (PAN-OS 6.1.12) utilize RADIUS authentication. I know that this uses the completely unencrypted PAP protocol.
I have asked PAN about MS-CHAP v2 support in the past and was told that the device must be placed into FIPS mode in order to gain the ability to do RADIUS authentication over MS-CHAP v2, but by putting a device into FIPS mode you are effectively performing a factory reset.
I've always thought that was completely ridiculous. If the device supports MS-CHAP v2 in FIPS mode, it's clearly capable of using the protocol. Why not make MS-CHAP v2 available in standard mode as a choice over PAP?
In any case, I've seen that PAN has removed the FIPS mode from newer PAN-OS releases. As such, is PAN adding MS-CHAP v2 support? Or are they dropping MS-CHAP v2 support entirely along with the associated FIPS mode?
v7.0 supports CHAP
v7.0 supports CHAP
06-22-2016 06:41 AM
Well, I guess it's good that they have finally moved beyond PAP, but it's a shame they aren't using MS-CHAP v2 which is the most secure RADIUS authentication protodcol available.
06-23-2016 03:31 AM
As CHAP has only just been implemented, I'm sure MS-CHAP v2 is around the corner. I'm sure you could also speak to your account manager to raise this as a Feature request to add in future releases.
06-23-2016 01:49 PM
I already did that three years ago.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!