RADIUS authentication: MS-CHAP v2?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

RADIUS authentication: MS-CHAP v2?

L3 Networker

Currently, my PA-3050 devices (PAN-OS 6.1.12) utilize RADIUS authentication.  I know that this uses the completely unencrypted PAP protocol.

 

I have asked PAN about MS-CHAP v2 support in the past and was told that the device must be placed into FIPS mode in order to gain the ability to do RADIUS authentication over MS-CHAP v2, but by putting a device into FIPS mode you are effectively performing a factory reset.

 

I've always thought that was completely ridiculous.  If the device supports MS-CHAP v2 in FIPS mode, it's clearly capable of using the protocol.  Why not make MS-CHAP v2 available in standard mode as a choice over PAP?


In any case, I've seen that PAN has removed the FIPS mode from newer PAN-OS releases.  As such, is PAN adding MS-CHAP v2 support?  Or are they dropping MS-CHAP v2 support entirely along with the associated FIPS mode?

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

v7.0 supports CHAP

https://live.paloaltonetworks.com/t5/Management-Articles/CHAP-preferred-over-PAP-while-sending-RADIU...

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

v7.0 supports CHAP

https://live.paloaltonetworks.com/t5/Management-Articles/CHAP-preferred-over-PAP-while-sending-RADIU...

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Well, I guess it's good that they have finally moved beyond PAP, but it's a shame they aren't using MS-CHAP v2 which is the most secure RADIUS authentication protodcol available.

Hi Scottsander,

 

As CHAP has only just been implemented, I'm sure MS-CHAP v2 is around the corner. I'm sure you could also speak to your account manager to raise this as a Feature request to add in future releases.

 

Thanks

Jack

 

 

I already did that three years ago.

  • 1 accepted solution
  • 4011 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!