This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

About BKRogers

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
BKRogers
‎03-22-2023
since ‎08-25-2021
L0 Member
User Activity
User Profile
User Badges
Community Statistics
Member Since ‎08-25-2021 05:06 PM
Date Last Visited ‎03-22-2023 05:58 PM
Posts 2

Re: Authentication Radius doesn't work after upgrade firmware to 10.2.2

by in GlobalProtect Discussions
‎01-05-2023 09:56 AM
‎01-05-2023 09:56 AM
So I have been working through this some.  I have a Microsoft NPS radius server that worked fine with 10.1, but upon upgrading to 10.2 RADIUS authentications have failed.   It appears to be the TLS version which is causing the problem.  By default my NPS server only uses TLS 1.0, but 10.2 requires a minimum of TLS 1.1, and I have only got it working with TLS 1.2.   To enabled TLS 1.2 on NPS I had to add a registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13 Dword called   TlsVersion Value is a hex OR of     TLS 1.0 0xC0 TLS 1.1 0x300 TLS 1.2 0xC00    So the downside I am finding, I have to enable TLS 1.2 which gets 10.2 working, but then it breaks my 10.1 firewalls. Even when I use the value  0xF30    ... View more

Panorama and PANOS RADIUS Authentication Failing after upgrade to 10.2

by in Panorama Discussions
‎01-05-2023 07:24 AM
‎01-05-2023 07:24 AM
Hello,  Thought I would pass on this solution I found.  After upgrading our Panorama from 10.1 to 10.2, our RADIUS authentication no longer worked.  The root cause was our Microsoft RADIUS server was using TLS 1.0 for the PEAP-MSCHAP TLS handshake and 10.2 REQUIRES TLS 1.1.   The solution is to add the following registry setting to your Microsoft NPS server HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13 add a DWORD TlsVersion with a hex value of 0x3C0 then reboot.     This value will allow the MS NPS server to negotiate TLS 1.0 and TLS 1.1.     You probably DONT want to enable TLS 1.2 yet.  I found enabling TLS 1.2 will cause 10.1 PANOS to fail the RADIUS handshake.   Related MS Link Microsoft security advisory: Update for Microsoft EAP implementation that enables the use of TLS: October 14, 2014 - Microsoft Support ... View more
Register or Sign-in
Contact Me
Online Status
Offline
Date Last Visited
‎03-22-2023 05:58 PM
LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks