About Callum_Bisley

Hi Martin,   Ii have the same issue with my lab device. I have just migrated my PAN VM on 10.1.4 to a PANO on 10.1.4-h4. After a successful migration, all tunnels are down. I am seeing a authentication failure and PSK mismatch in the System logs. Thankfully, as this is a lab I am not having PD traffic affected.   But as you stated had to re-put the PSK in for my tunnels, and the associations succeeded.   Kind Regards,   Callum ... View more

Hi Everyone,   Finally to add to this post.   My apologies I meant 'Conditions' not 'Constraints'.   @TomYoung  I finally removed the Local Admin Profile from my PA, and I am able to successfully (externally) authenticate to my NPS server.    After some testing, it was very weird, I retraced my steps and steadily added all the 'Conditions' that were failing previously. I have no idea why but it appears to be working.   If you come across this issue (a bit buggy) enable the denied policy (you see in the system logs>security on Windows event viewer) test, then disable and reenable your configured NPS policy.  ... View more

Hi, @TomYoung     Also hello to everyone else whom may come across this issue themselves with regards to 2016 ADs Ok, so with Toms' great advice (regards the PA config) and some research. It appeared to be hitting a completely different policy (a default RADIUS deny policy as stated in on my above image). So as a test, I allowed the policy and left the constraints with only the default time constraint, adding in the respective VSA for PA. In which has now worked, and I able to access with RADIUS as an Admin onto my PA.    However, when I added other constraints in such as 'Authentication', 'Windows Groups', and 'Client IP'. It would fail, on the PA side I would get generic invalid username/password error. I would get an error in the event security logs, actually not pointing towards any error at all simply stating 'No match to NPS policies'.   So for my configured VSA rule, I simply removed the constraints, added the time constraint, and it appears to be working.    I have to conduct some further tests. I.E removing adding constraints, removing local admin profile etc.  ... View more

Hi Tom,   That's great, I am just testing this right now. The security logs have provided something interesting:   What it looks like to me (I am going to double check the NPS Polices) is that it appears to be hitting the wrong Network Policy. As I do know both sides for the configured policy should be using PAP.    If I can hopefully drill this down, I will update here.   Thanks for the message again.   Callum ... View more

Hi Tom,   Thanks for the message, and the tips.   I hope I am not being too daft, but I am assuming the local admin will use the shared secret password instead? If I am creating a local admin which is not an AD member.    If that is the case, I am seeing the same error message as with my previous admin. Which would point me in the direction of the NPS policies.   If I am able to find the solution, I will mention on here.   Thanks Callum ... View more