06-25-2010 09:57 AM
Hi Guys,
I have an issue with the SSL VPN authentication via RADIUS.
I have configured the RADIUS Server with this options:
Name:PANSSL
Address: 10.0.0.8
Vendor Name: RADIUS Standard
The Policy and Connection Type, is as follows:
Name: AccessVPN
Conditions: Windows User Groups, domain\domain_users
Access Permission: Access Granted
Authentication Method: Checked: Microsoft Encrypted Authetication version 2 (MS-CHAP-v2)
User can changed password after it has expired
Microsoft Encrypted Authentication (MS-CHAP)
User can changed password after it has expired
Unencrypted Authentication (PAP, SPAP)
RADIUS Attributes: Framed-Protocol: PPP
Service-type: Framed
I have a Windows Server 2003.
When I try to get access, It gives me the next error: User "domai\domai_user" failed authentication. Reason: User is not in allowlist.
I have modified the allow list, many times, rigth now I have all users in the allowlist, but it is not working.
I am working with a PAN-500, software version: 3.1.2, SSL-VPN Client 1.1.1, Application-Version 192-655, Threat version 192-655, Antivirus 240-279, URL Filtering 3376.
Any help?
Thanks in advance.
06-25-2010 11:02 AM
Here are a few questions/trouble shooting steps. Are you using a pan-agent? If so, there may be a connectivity issue. The CLI command >show user pan-agent statistics, will help determine that. If using the agent, are the users members of the configured group? Use the CLI command > debug device server dump user-group <group name>. If not using a pan-agent, when editing the allow list, type "all" (minus quotes) in the "Additional Users" box and see if that allows you to authenticate. Beyond that, you may want to contact your support provider.
07-29-2010 03:58 AM
Late answer, I know. But for the record.
There is no support for ms-chap v2. You have to in the RADIUS server (sorry to say) only use PAP for authentication.
/ Mike
08-06-2010 08:25 AM
Hi NRICE,
1.I am using PAN-Agent version 3.1.2
2.The cli command show user.... gives me the next info:
admin@PA-500-BBDO> show user pan-agent statistics
Name IP Address Port Vsys State Users Grps IPs Activity Cnts Link Speed
----------------------------------------------------------------------------------------------------------------------
BBDOAgent 192.168.0.2 3033 vsys1 connected, ok 293 15 130 433 fast
2. I am using the Domain Users group.
3. The cli command debug device server dump.... gives me all the users that belong to the group.
Is there anything else that I need to check or some configuration that I need to add or delete?
Thanks in advance.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
