11-29-2017 02:15 PM
We had purchased a pair of 850s to replace a pair of 3020s. Over the weekend I had put the 850s into place and we immediately saw problems with clients authenticating to our radius server behind the 850. We're working with PA support but they seem fairly insistent that there is no problem with the 850s. A bit of background:
We have cell phones, laptops, and network gear such as switches authenticating to radius. Cell phones use cert based auth over TLS, Laptops use PEAP with their windows computer domain credentials, and the switches mainly use PEAP with EAP-MSCHAP v2 and windows user credentials. The radius server is a Windows Server 2008R2 running NPS.
When the 3020s are in place, everything hums along just fine. When the 850s are in place, only cell phones can authenticate properly. Neither laptops or switches can log in. However laptops at our corporate campus have no problems as they don't traverse the PA to authenticate with Radius. So initially I thought, well I'll just disable radius at corporate and we'll authenticate against our backup radius server offsite which is behind a PA220. Remote clients appeared to work, but then our corporate clients could not authenticate.
Looking at the packet captures from a good auth over the 3020 from a bad auth over an 850, the only noticeable difference is on the bad auth, You see Access-Request, Duplicate request over and over again, and then it times out after 15 seconds.
Like I said support is pretty stuck on it being a radius problem, despite it working fine when we revert to the 3020s. The 850s are just directly imported configs from the 3020s, and we even went through line by line on the config to see if anything changed unexpectedly and didn't come up with anything there.
The 850s were initially on 8.0.2, i tried 8.0.5 but the problem persisted. 8.0.6 is out for them and I'll likely try that next if I don't hear anything else on this.
Any suggestions would be greatly appreciated, thanks
