Palo Alto Firewalls - Need support for current 8.x OS


#1

Hello,
Currently I have Duo working with vpn on Palo Alto Firewalls on 7.x OS successfully. However it does not work with Palo 8.x OS. This needs to be addressed A.S.A.P as 8.x has been out since January 2017. Please assign the appropriate personnel to this so Duo can get updated and working again please.

The error seen when using Duo with 8.x is:
2017-06-23 09:53:22-0600 [DuoForwardServer (UDP)] ((’’, ), 12): Only PAP with a Shared Secret format or CHAP2 are supported. Is the system communicating with the Authentication Proxy using CHAP or something else instead?
2017-06-23 09:53:22-0600 [DuoForwardServer (UDP)] ((’’, ), 12): No password or CHAP2 attributes provided
2017-06-23 09:53:22-0600 [DuoForwardServer (UDP)] ((’’, ), 12): Returning response code 3: AccessReject

Thank you,
Ken


#2

Can you configure the Duo RADIUS authentication server to use PAP instead of CHAP as mentioned in step 1.4 here:
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/authentication/configure-radius-authentication?


#3

Thank you, it looks like they added that option v8. After testing changing to PAP resolved the issue.

Thanks!


#4

Thanks for the follow up! We’ll be updating our Palo Alto instructions for v8 this quarter.