Authentication Radius doesn't work after upgrade firmware to 10.2.2

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Authentication Radius doesn't work after upgrade firmware to 10.2.2

L1 Bithead

Hi everyone,

 

on PA-220 I've update firmware version from 10.1.5h1 to 10.2.2.

We have globalprotect work with Radius Authentication with protocol PEAP-MSCHAPv2.

After the upgrade it doesn't work anymore. (it works with other protocol, like PAP).

 

Certificates are ok, nothing changed.
We've already tried to change radius server without success.
This is the error:

 

test authentication authentication-profile vpn-radius username ots50025 password
Enter password :

Target vsys is not specified, user "ots50025" is assumed to be configured with a shared auth profile.

Do allow list check before sending out authentication request...
user "xxxxxxx\ots50025" is a member of allowed group "cn=vpn-cisco-ch,ou=permission groups,dc=xxxxxx,dc=local" on vsys "vsys1"
Egress: No service source route is set, might use destination source route if configured
Test authentication to RADIUS server 10.2.20.55:1812 for user: "ots50025" using protocol: PEAP with MSCHAPv2
Failed EAPOL auth (-1).
Response for user: "ots50025" from RADIUS server: "protocol version"
Authentication failed against RADIUS server at 10.2.20.55:1812 for user "ots50025"


Any ideas?
It's not among know issues of the new version.

 

Thanks to everyone.

 

7 REPLIES 7

L1 Bithead

UPDATE:

 

we've opened a tk to palo alto support, they suggest us to try with a radius server Win2022. and it works.
Waiting for some more explanation and to know if they will fix the issue with some new release.

 

Cyber Elite
Cyber Elite

@Ots-network,

What version of Windows Server are you currently running? I haven't run into this issue in my lab where I have 10.2 still going through validation, but those are connecting to Server 2022 and Server 2019 installs. 

Hello BPry,

 

sorry for the delate but i was on holiday.
At this moment we are still waiting for an answer from Palo Alto.

Now we are working with a 2022 Radius.

 

The answer from PA was simply: chiper suite is different in 10.2

but if we check online 10.2 and 10.1 chiper suite are the same.

 

https://docs.paloaltonetworks.com/compatibility-matrix/supported-cipher-suites/cipher-suites-support...

 

https://docs.paloaltonetworks.com/compatibility-matrix/supported-cipher-suites/cipher-suites-support...

 

At this point they asked us to send the certificate and now we are waiting since 10 days.
No news.

 

About your question we had 2008 and a 2016 radius.  Unfortunately we can't test 2019 at this moment. 

 

L1 Bithead

Hello,

Did you received any updates on this case ?
We are facing the same issue with radius server in 2016.

Regards

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!