Radius Auth Profile with PEAP-MsCHAPv2

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Radius Auth Profile with PEAP-MsCHAPv2

L1 Bithead

Has anyone successfully integrated Radius Auth profile PEAP-MsCHAPv2 with NPS or any other Radius platform?

 

I have configured my Radius Auth Profile and attached relevant Cert profile to it as per below knowledgebase article.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmkRCAS

However we are unable to establish successful authentication attempt for global protect user on radius auth profile, If I changed the Radius auth type to PAP it works fine.

Below is the NPS setting used shared by team managing NPS

 

 

NamalW_0-1600837232072.png

 

2 REPLIES 2

L2 Linker

PEAP-MSCHAPv2 to work, a certificate will be required on the domain controller, which needs to be signed by an Internal PKI CA. 


windowsNPS.png

 As you can see above that my DC01 has a certificate issued by my Root CA SOS.local

 

On the firewall side, you should have the following configuration:


radius-mschap.png

From the screenshot above, we can see the certificate profile applied "PEAP-Cert", which will have by signing CA and authentication protocol is selected as PEAP-MSCHAPv2

After the config above, you can create an authentication profile with the RADIUS profile above an apply it to your Portal or gateway or both. 

Hope that helps! 

Hi Sakhan, 

Im looking at your first screenshot which shows PEAP Properties, you have chosen "Microsoft: Protected EAP (PEAP)" and I was curious to know why you've  also checked MSCHAPv2 under the less secure authentication methods. Is there a reason to that. In my setup I do not have anything checked under less secure authentication method and it works as intended.

  • 8141 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!