07-06-2022 02:05 AM - edited 07-06-2022 02:40 AM
Hi everyone,
on PA-220 I've update firmware version from 10.1.5h1 to 10.2.2.
We have globalprotect work with Radius Authentication with protocol PEAP-MSCHAPv2.
After the upgrade it doesn't work anymore. (it works with other protocol, like PAP).
Certificates are ok, nothing changed.
We've already tried to change radius server without success.
This is the error:
test authentication authentication-profile vpn-radius username ots50025 password
Enter password :
Target vsys is not specified, user "ots50025" is assumed to be configured with a shared auth profile.
Do allow list check before sending out authentication request...
user "xxxxxxx\ots50025" is a member of allowed group "cn=vpn-cisco-ch,ou=permission groups,dc=xxxxxx,dc=local" on vsys "vsys1"
Egress: No service source route is set, might use destination source route if configured
Test authentication to RADIUS server 10.2.20.55:1812 for user: "ots50025" using protocol: PEAP with MSCHAPv2
Failed EAPOL auth (-1).
Response for user: "ots50025" from RADIUS server: "protocol version"
Authentication failed against RADIUS server at 10.2.20.55:1812 for user "ots50025"
Any ideas?
It's not among know issues of the new version.
Thanks to everyone.
07-06-2022 05:18 AM
UPDATE:
we've opened a tk to palo alto support, they suggest us to try with a radius server Win2022. and it works.
Waiting for some more explanation and to know if they will fix the issue with some new release.
07-07-2022 02:19 PM
What version of Windows Server are you currently running? I haven't run into this issue in my lab where I have 10.2 still going through validation, but those are connecting to Server 2022 and Server 2019 installs.
07-25-2022 07:33 AM
Hello BPry,
sorry for the delate but i was on holiday.
At this moment we are still waiting for an answer from Palo Alto.
Now we are working with a 2022 Radius.
The answer from PA was simply: chiper suite is different in 10.2
but if we check online 10.2 and 10.1 chiper suite are the same.
At this point they asked us to send the certificate and now we are waiting since 10 days.
No news.
About your question we had 2008 and a 2016 radius. Unfortunately we can't test 2019 at this moment.
11-22-2022 04:56 AM
Hello,
Did you received any updates on this case ?
We are facing the same issue with radius server in 2016.
Regards
11-23-2022 01:52 PM
Hello,
I'm having the same issue with NPS installed on windows 2019 Datacenter. After upgrading to 10.2.3 MSCHAPv2 authentication stopped working. PAP is working with no issues.
admin@PA-220> test authentication authentication-profile "Authentication Profile" username "Username" password
Enter password :
Target vsys is not specified, user "Username" is assumed to be configured with a shared auth profile.
Do allow list check before sending out authentication request...
name "Username" is in group "all"
Egress: No service source route is set, might use destination source route if configured
Test authentication to RADIUS server X.X.X.X:1812 for user: "Username" using protocol: PEAP with MSCHAPv2
Failed EAPOL auth (3).
Authentication failed against RADIUS server at X.X.X.X:1812 for user "Username"
Authentication failed for user "Username"
admin@PA-220>
11-23-2022 11:37 PM
Hello,
Thank you for those details, it shows the fact that even a windows 2019 is not sufficient.
On our side, we tried updating palo from 10.1.8 to 10.2.2-h2 (the actual preferred palo support release).
We can't see any authentication logs on the server radius side when a user try to connect through GP.
Regards
01-05-2023 09:56 AM
So I have been working through this some. I have a Microsoft NPS radius server that worked fine with 10.1, but upon upgrading to 10.2 RADIUS authentications have failed.
It appears to be the TLS version which is causing the problem. By default my NPS server only uses TLS 1.0, but 10.2 requires a minimum of TLS 1.1, and I have only got it working with TLS 1.2.
To enabled TLS 1.2 on NPS I had to add a registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13
Dword called TlsVersion
Value is a hex OR of
TLS 1.0 0xC0
TLS 1.1 0x300
TLS 1.2 0xC00
So the downside I am finding, I have to enable TLS 1.2 which gets 10.2 working, but then it breaks my 10.1 firewalls.
Even when I use the value 0xF30
06-11-2023 09:12 PM
Greetings everyone,
I had this same issue and found a different, but related solution. It appears that in 10.2 the minimum key length for the certificate has been increased to 2048. In 10.1 it was 1024 or lower (I didn't test but I know 1024 worked).
If you use an internal PKI that was seutp a while ago and just used the default certificate template for IAS and RAS, it is setup a minimum key length of 1024.
I had to modify the template and reissue all the certificates. With no other changes this solved my issue.
06-11-2023 09:14 PM
I should have specified I am talking about the certificate configured in NPS for PEAP (The Constraints tab, Authentication Methods, Microsoft: Protected EAP (PEAP)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
