09-15-2018 01:21 PM
10-19-2022 07:20 AM
Again, it really depends on what you are trying to do. If it's using ISE for TACAS and authenticate via AD then CHAP will not work. I have provided chart above in this article why it will not work.
If you are going to create local accounts on ISE then CHAP will work fine.
A lot of folks if you haven't noticed yet in their TACACS articles are using CHAP, yes, but they create accounts locally. No one mentions that AD for authentication using CHAP is not supported in ISE.
10-19-2022 07:25 AM
Article shows using CHAP but accounts are locally created in ISE? It doesn't show using AD for authentication.
10-19-2022 07:25 AM
Oh yes, you are right. I remember configuring CHAP with AD and it didn't work so, had to revert back to PAP. CHAP will only work if you have local-ISE accounts.
10-19-2022 07:29 AM
This is why CHAP will not work. I will repost the chart from previous page. This is supported by ISE. Palo Alto needs to more options in TACACS than just PAP/CHAP, and honestly I don't think PAP should even be an option.
|
Protocol (Authentication Type) |
Internal Database |
Active Directory |
LDAP |
RADIUS Token Server or RSA |
REST |
ODBC |
||
|---|---|---|---|---|---|---|---|---|
|
EAP-GTC, PAP (plain text password) |
Yes |
Yes |
Yes |
Yes |
Yes |
Yes |
||
|
MS-CHAP password hash: MSCHAPv1/v2 EAP-MSCHAPv2 (as inner method of PEAP, EAP-FAST, EAP-TTLS or TEAP) LEAP |
Yes |
Yes |
No |
No |
No |
Yes |
||
|
EAP-MD5 CHAP |
Yes |
No |
No |
No |
No |
Yes |
||
|
EAP-TLS PEAP-TLS (certificate retrieval)
|
03-15-2023 09:13 AM
I currently have this issue, Authenticatoin and Authorization passes in ISE and I can see the VSA String in the Response from ISE but I get not Authorized at the PAN GUI, anyone have luck in getting this resolved
03-15-2023 03:30 PM - edited 03-15-2023 03:31 PM
Got it to work by following this link and these settings:
Typed everything in Raw View and I was able to auth....weird deal of affairs to get this to work. "SYSTEM_RO" is the custom Role I created in PAN.
03-16-2023 12:15 AM
Glad that it did work for you.
Just two questions please :
- Did you use CHAP authentication protocol in PA FW ?
-Did you create local accounts on ISE & PA FW?
03-26-2023 06:57 PM - edited 03-26-2023 07:00 PM
- Did you use CHAP authentication protocol in PA FW ? I used PAP
-Did you create local accounts on ISE & PA FW? No the only account I created was the account referenced by the VSA...which was System_RO....I then linked the account to specific AD Groups in ISE for Dynamic Role-Based Access
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
