12-01-2025 08:06 PM - edited 12-01-2025 08:52 PM
Hello,
I have a working GP configuration that uses client certificate, username and password for authentication, with the username and password validated using PEAP-MSCHAPv2 against a RADIUS server.
I want to add an OTP challenge as described at https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm8ICAS, for the on demand mode and using RADIUS.
Related documents describe how to configure the Auth Profile. But it is unclear to me what the RADIUS server needs to do to activate the challenge. A number of sources indicate that after the MSCHAP succeeds, the RADIUS server needs to send an Access-Challenge, but it is unclear if this needs to be inside or outside the EAP context setup for EAP-MSCHAP. Once the challenge has been requested, it is then unclear how the PA as a RADIUS client responds, eg. with PAP or EAP-GTC.
Does anyone have a working setup like this and can share details of how the RADIUS server needs to respond?
Target is the PA3220 but I'm initially testing on a PA-VM, all running 11.1.10-h1.
Thanks.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
