RADIUS Authentication Still Prompts for Password Change

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

RADIUS Authentication Still Prompts for Password Change

L0 Member

I have a stand-alone system which is utilizing two Palo Alto 220 Firewalls. As part of this system, I have RADIUS policies configured on a Windows server to provide domain-admin access to the device. On one PA220 I am able to login with my domain credentials and access the device without issue. On the other PA220 I am able to login with domain credentials as well. However, once logged in I am brought to a page that prompts me to change my password. It has a field for Old Password, New Password and New Password verification. I am not able to navigate beyond this prompt. If I try to submit the form without inputting any values it errors saying "password required." If I submit the form with appropriate values (old password and a new password) it errors saying "Cannot change password for remote users."

What could be causing this to occur? I know my RADIUS is working as it should and the two PA220's are configured identically despite one functioning and the other not.

I still have a local admin account on the device, so I am able to make changes, I just don't know what needs to be changed (local admin account is not being prompted to change password).


Things I have tried:

Compared the "working" PA220 to the "non-working" PA220

Looked through device settings for misconfigurations

Ensured "change password at first login" has been disabled

Deleted authentication profiles and re-added them

Deleted users and re-added them

Committing changes

Rebooting device



Any advice/suggestion would be greatly appreciated!



Cyber Elite
Cyber Elite

Can you export the configuration on "bad" one, and import it onto "good" firewall.


use the Config Audit functionality to definitely compare side by side (vs eye balling it.. 😛  to see where the change it)


Just an idea besides prayer.  😛

Help the community: Like helpful comments and mark solutions

L0 Member

I have a similar issue going on with my LDAP configurations. There are 3 admins that can login via toke to our firewalls but I have another guy that is unable to login because it continues to prompt him for a password change. He had the sysads reset his account and rebuild his profile on the firewall but there was still no change. As far as I can tell there is no reason why he should be able to login.

Hi @AlecWeiner ,


- What versions are the FWs? Are they running the same version?

- Does both FWs are using same protocols PAP, CHAP?


I am not sure if it the same, but while ago we hit something similar - we wanted to configure RADIUS between PAN 7.1 and SafeNet (for token authentication). We hit a problem that when user entered username and password the SafeNet server was sending "Challenge" as response, which prompted the user to enter second password, even that there is no second pass. It turns out that by default the PAN 7.1 was using PAP and SafeNet was using CHAP. After forcing the FW to use CHAP everything was working fine.


In addition I would suggest you to run packet capture during the authentication attempt to capture the RADIUS traffic, I bet you will see that the server is sending the strange response (which will tell the FW to provide you with the "change password" page)

  • 3 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!