Authentication Radius doesn't work after upgrade firmware to 10.2.2

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Authentication Radius doesn't work after upgrade firmware to 10.2.2

L1 Bithead

Hi everyone,

 

on PA-220 I've update firmware version from 10.1.5h1 to 10.2.2.

We have globalprotect work with Radius Authentication with protocol PEAP-MSCHAPv2.

After the upgrade it doesn't work anymore. (it works with other protocol, like PAP).

 

Certificates are ok, nothing changed.
We've already tried to change radius server without success.
This is the error:

 

test authentication authentication-profile vpn-radius username ots50025 password
Enter password :

Target vsys is not specified, user "ots50025" is assumed to be configured with a shared auth profile.

Do allow list check before sending out authentication request...
user "xxxxxxx\ots50025" is a member of allowed group "cn=vpn-cisco-ch,ou=permission groups,dc=xxxxxx,dc=local" on vsys "vsys1"
Egress: No service source route is set, might use destination source route if configured
Test authentication to RADIUS server 10.2.20.55:1812 for user: "ots50025" using protocol: PEAP with MSCHAPv2
Failed EAPOL auth (-1).
Response for user: "ots50025" from RADIUS server: "protocol version"
Authentication failed against RADIUS server at 10.2.20.55:1812 for user "ots50025"


Any ideas?
It's not among know issues of the new version.

 

Thanks to everyone.

 

9 REPLIES 9

L1 Bithead

UPDATE:

 

we've opened a tk to palo alto support, they suggest us to try with a radius server Win2022. and it works.
Waiting for some more explanation and to know if they will fix the issue with some new release.

 

Cyber Elite
Cyber Elite

@Ots-network,

What version of Windows Server are you currently running? I haven't run into this issue in my lab where I have 10.2 still going through validation, but those are connecting to Server 2022 and Server 2019 installs. 

Hello BPry,

 

sorry for the delate but i was on holiday.
At this moment we are still waiting for an answer from Palo Alto.

Now we are working with a 2022 Radius.

 

The answer from PA was simply: chiper suite is different in 10.2

but if we check online 10.2 and 10.1 chiper suite are the same.

 

https://docs.paloaltonetworks.com/compatibility-matrix/supported-cipher-suites/cipher-suites-support...

 

https://docs.paloaltonetworks.com/compatibility-matrix/supported-cipher-suites/cipher-suites-support...

 

At this point they asked us to send the certificate and now we are waiting since 10 days.
No news.

 

About your question we had 2008 and a 2016 radius.  Unfortunately we can't test 2019 at this moment. 

 

L1 Bithead

Hello,

Did you received any updates on this case ?
We are facing the same issue with radius server in 2016.

Regards

Hello,

I'm having the same issue with NPS installed on windows 2019 Datacenter. After upgrading to 10.2.3 MSCHAPv2 authentication stopped working. PAP is working with no issues.

 

admin@PA-220> test authentication authentication-profile "Authentication Profile" username "Username" password
Enter password :

Target vsys is not specified, user "Username" is assumed to be configured with a shared auth profile.

Do allow list check before sending out authentication request...
name "Username" is in group "all"

Egress: No service source route is set, might use destination source route if configured
Test authentication to RADIUS server X.X.X.X:1812 for user: "Username" using protocol: PEAP with MSCHAPv2
Failed EAPOL auth (3).
Authentication failed against RADIUS server at X.X.X.X:1812 for user "Username"

Authentication failed for user "Username"

admin@PA-220>

L1 Bithead

Hello,

Thank you for those details, it shows the fact that even a windows 2019 is not sufficient.

On our side, we tried updating palo from 10.1.8 to 10.2.2-h2 (the actual preferred palo support release).
We can't see any authentication logs on the server radius side when a user try to connect through GP.

 

Regards

L0 Member

So I have been working through this some.  I have a Microsoft NPS radius server that worked fine with 10.1, but upon upgrading to 10.2 RADIUS authentications have failed.  

It appears to be the TLS version which is causing the problem.  By default my NPS server only uses TLS 1.0, but 10.2 requires a minimum of TLS 1.1, and I have only got it working with TLS 1.2.

 

To enabled TLS 1.2 on NPS I had to add a registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13
Dword called   TlsVersion

Value is a hex OR of    

TLS 1.0 0xC0

TLS 1.1 0x300

TLS 1.2 0xC00 

 

So the downside I am finding, I have to enable TLS 1.2 which gets 10.2 working, but then it breaks my 10.1 firewalls.

Even when I use the value  0xF30 

 

L2 Linker

Greetings everyone,

 

I had this same issue and found a different, but related solution.  It appears that in 10.2 the minimum key length for the certificate has been increased to 2048.  In 10.1 it was 1024 or lower (I didn't test but I know 1024 worked).

 

If you use an internal PKI that was seutp a while ago and just used the default certificate template for IAS and RAS, it is setup a minimum key length of 1024.

 

I had to modify the template and reissue all the certificates.  With no other changes this solved my issue.

L2 Linker

I should have specified I am talking about the certificate configured in NPS for PEAP (The Constraints tab, Authentication Methods, Microsoft:  Protected EAP (PEAP)

  • 3842 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!