12-05-2019 04:42 AM
I have a stand-alone system which is utilizing two Palo Alto 220 Firewalls. As part of this system, I have RADIUS policies configured on a Windows server to provide domain-admin access to the device. On one PA220 I am able to login with my domain credentials and access the device without issue. On the other PA220 I am able to login with domain credentials as well. However, once logged in I am brought to a page that prompts me to change my password. It has a field for Old Password, New Password and New Password verification. I am not able to navigate beyond this prompt. If I try to submit the form without inputting any values it errors saying "password required." If I submit the form with appropriate values (old password and a new password) it errors saying "Cannot change password for remote users."
What could be causing this to occur? I know my RADIUS is working as it should and the two PA220's are configured identically despite one functioning and the other not.
I still have a local admin account on the device, so I am able to make changes, I just don't know what needs to be changed (local admin account is not being prompted to change password).
Things I have tried:
Compared the "working" PA220 to the "non-working" PA220
Looked through device settings for misconfigurations
Ensured "change password at first login" has been disabled
Deleted authentication profiles and re-added them
Deleted users and re-added them
Any advice/suggestion would be greatly appreciated!
12-05-2019 03:01 PM
Can you export the configuration on "bad" one, and import it onto "good" firewall.
use the Config Audit functionality to definitely compare side by side (vs eye balling it.. 😛 to see where the change it)
Just an idea besides prayer. 😛
02-11-2020 08:34 AM
I have a similar issue going on with my LDAP configurations. There are 3 admins that can login via toke to our firewalls but I have another guy that is unable to login because it continues to prompt him for a password change. He had the sysads reset his account and rebuild his profile on the firewall but there was still no change. As far as I can tell there is no reason why he should be able to login.
02-12-2020 04:26 AM
Hi @AlecWeiner ,
- What versions are the FWs? Are they running the same version?
- Does both FWs are using same protocols PAP, CHAP?
I am not sure if it the same, but while ago we hit something similar - we wanted to configure RADIUS between PAN 7.1 and SafeNet (for token authentication). We hit a problem that when user entered username and password the SafeNet server was sending "Challenge" as response, which prompted the user to enter second password, even that there is no second pass. It turns out that by default the PAN 7.1 was using PAP and SafeNet was using CHAP. After forcing the FW to use CHAP everything was working fine.
In addition I would suggest you to run packet capture during the authentication attempt to capture the RADIUS traffic, I bet you will see that the server is sending the strange response (which will tell the FW to provide you with the "change password" page)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!