HI all,
looking for some guidance. I'm lab testing Palo Alto admin authentication via RADIUS to ClearPass.
I can get authentication to work fine when using PAP but not CHAP.
The authentication source is Windows 2012 R2 AD. The example user account has been set to use reversible encryption and the default domain security policy is the same.
When i point the Palo Alto to the Windows Box and setup NPS, i can do CHAP authentciation, however it shows up as MD5-CHAP in the NPS logs.
When ClearPass tries, i get these logs:
2017-03-31 13:57:28,688 | [Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - rlm_pap: Attribute "Password" missing. Cannot use "CHAP-Password". Not setting Auth-Type. |
2017-03-31 13:57:28,688 | [Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - modcallauthorize]: module "svc_3002_authmthd_1" returns noop for request 21 |
2017-03-31 13:57:28,688 | [Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - rlm_chap: Setting 'Auth-Type := svc_3002_authmthd_6' |
2017-03-31 13:57:28,688 | [Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - modcallauthorize]: module "svc_3002_authmthd_6" returns ok for request 21 |
2017-03-31 13:57:28,688 | [Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - rlm_eap: No EAP-Message, not doing EAP |
2017-03-31 13:57:28,688 | [Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - modcallauthorize]: module "svc_3002_eap" returns noop for request 21 |
2017-03-31 13:57:28,688 | [Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - rlm_auth_check: Allowed authentication methods: svc_3002_authmthd_1, svc_3002_authmthd_6, svc_3002_eap |
2017-03-31 13:57:28,688 | [Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - radius: No MS Identity VP |
2017-03-31 13:57:28,688 | [Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - rlm_auth_check: allowed Authentication method svc_3002_authmthd_6 set. |
2017-03-31 13:57:28,688 | [Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - modcallauthorize]: module "svc_3002_auth_check" returns ok for request 21 |
2017-03-31 13:57:28,688 | [Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - modcall: leaving group svc_PAN Admin Radius_3002 (returns ok) for request 21 |
2017-03-31 13:57:28,688 | [Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - rad_check_password: Found Auth-Type svc_3002_authmthd_6 |
2017-03-31 13:57:28,688 | [Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - auth: type "svc_3002_authmthd_6" |
2017-03-31 13:57:28,688 | [Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - Processing the authenticate section of radiusd.conf |
2017-03-31 13:57:28,688 | [Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - modcall: entering group svc_3002_authmthd_6 for request 21 |
2017-03-31 13:57:28,688 | [Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - rlm_chap: login attempt by "homer" with CHAP password |
2017-03-31 13:57:28,688 | [Th 22 Req 21 SessId R00000015-01-58ddc598] DEBUG RadiusServer.Radius - rlm_chap: Could not find clear text password for user homer |