01-05-2023 07:24 AM
Hello,
Thought I would pass on this solution I found. After upgrading our Panorama from 10.1 to 10.2, our RADIUS authentication no longer worked. The root cause was our Microsoft RADIUS server was using TLS 1.0 for the PEAP-MSCHAP TLS handshake and 10.2 REQUIRES TLS 1.1.
The solution is to add the following registry setting to your Microsoft NPS server
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13
add a DWORD TlsVersion with a hex value of 0x3C0
then reboot.
This value will allow the MS NPS server to negotiate TLS 1.0 and TLS 1.1.
You probably DONT want to enable TLS 1.2 yet. I found enabling TLS 1.2 will cause 10.1 PANOS to fail the RADIUS handshake.
Related MS Link
