Security

Reply
Super Contributor II

Palo Alto Admin authentication through ClearPass to AD - CHAP Failing

HI all,

 

looking for some guidance. I'm lab testing Palo Alto admin authentication via RADIUS to ClearPass.

 

I can get authentication to work fine when using PAP but not CHAP. 

 

The authentication source is Windows 2012 R2 AD. The example user account has been set to use reversible encryption and the default domain security policy is the same. 

 

When i point the Palo Alto to the Windows Box and setup NPS, i can do CHAP authentciation, however it shows up as MD5-CHAP in the NPS logs. 

 

When ClearPass tries, i get these logs:

 

2017-03-31 13:57:28,688[Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - rlm_pap: Attribute "Password" missing. Cannot use "CHAP-Password". Not setting Auth-Type.
2017-03-31 13:57:28,688[Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - modcallauthorize]: module "svc_3002_authmthd_1" returns noop for request 21
2017-03-31 13:57:28,688[Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - rlm_chap: Setting 'Auth-Type := svc_3002_authmthd_6'
2017-03-31 13:57:28,688[Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - modcallauthorize]: module "svc_3002_authmthd_6" returns ok for request 21
2017-03-31 13:57:28,688[Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - rlm_eap: No EAP-Message, not doing EAP
2017-03-31 13:57:28,688[Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - modcallauthorize]: module "svc_3002_eap" returns noop for request 21
2017-03-31 13:57:28,688[Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - rlm_auth_check: Allowed authentication methods: svc_3002_authmthd_1, svc_3002_authmthd_6, svc_3002_eap
2017-03-31 13:57:28,688[Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - radius: No MS Identity VP
2017-03-31 13:57:28,688[Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - rlm_auth_check: allowed Authentication method svc_3002_authmthd_6 set.
2017-03-31 13:57:28,688[Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - modcallauthorize]: module "svc_3002_auth_check" returns ok for request 21
2017-03-31 13:57:28,688[Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - modcall: leaving group svc_PAN Admin Radius_3002 (returns ok) for request 21
2017-03-31 13:57:28,688[Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - rad_check_password: Found Auth-Type svc_3002_authmthd_6
2017-03-31 13:57:28,688[Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - auth: type "svc_3002_authmthd_6"
2017-03-31 13:57:28,688[Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - Processing the authenticate section of radiusd.conf
2017-03-31 13:57:28,688[Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - modcall: entering group svc_3002_authmthd_6 for request 21
2017-03-31 13:57:28,688[Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - rlm_chap: login attempt by "homer" with CHAP password
2017-03-31 13:57:28,688[Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - rlm_chap: Could not find clear text password for user homer
Super Contributor II

Re: Palo Alto Admin authentication through ClearPass to AD - CHAP Failing

Further info - PANOS 7.1.8 and CPPM 6.6.4

 

Server is joined to domain

 

Super Contributor II

Re: Palo Alto Admin authentication through ClearPass to AD - CHAP Failing

BUMP!

for some weird reason my post disappeared over the weekend. Hoping this gets someone's attention!

 

 

Contributor II

Re: Palo Alto Admin authentication through ClearPass to AD - CHAP Failing

My org doesn't store passwords with reversible encryption, so CHAP was out of the question for me (made a great case for upgrading PAN to a newer version with TACACS support). You mentioned that NPS logs show MD5-CHAP instead of just CHAP,  so have you tried adding EAP-MD5 to the authentication methods list in your auth service?

Super Contributor II

Re: Palo Alto Admin authentication through ClearPass to AD - CHAP Failing

Yeah i did try using md5 but still failed . Hadnt considered using tacacs. Radius was my default choice out of habit! 

New Contributor

Re: Palo Alto Admin authentication through ClearPass to AD - CHAP Failing

did you resolve this? I have the same issue with Palo Alto and CHAP.

 

Also have a similar issue with an "other" RADIUS server. Im wondering if its a Windows 2012 R2 thing. Users have reversible passwords enabled.

Super Contributor II

Re: Palo Alto Admin authentication through ClearPass to AD - CHAP Failing

unfortunately not, had to engineer around it to meet customer timeline

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: