Extensible Authentication Protocol (EAP) Support for RADIUS
RADIUS authentication supports PEAP-MSCHAPv2, PEAP with GTC, or EAP-TTLS with PAP for GlobalProtect & Captive Portal authentication & admin access to the firewall & Panorama.
To securely transport administrator or end user credentials between RADIUS servers and the firewall, you can now use the following Extensible Authentication Protocols (EAP): PEAP-MSCHAPv2, PEAP with GTC, or EAP-TTLS with PAP.
The supported EAP methods create encrypted tunnels between the firewall and the RADIUS server to securely transmit usernames, passwords, and other credential information. The tunnel created by EAP consists of an inner tunnel and an outer tunnel. After the RADIUS server’s certificate is validated, the firewall creates the outer tunnel using SSL. After the encrypted TLS outer tunnel has been established, the firewall creates the inner tunnel to transmit the user’s credentials to the server.
To further protect user information from eavesdropping, you can mask the username by anonymizing the user’s identity in the outer tunnel. For authentication using GlobalProtect, you can optionally allow GlobalProtect users with expired passwords to successfully log in by permitting them to change their password.
You can use EAP with RADIUS to:
- Secure administrative access to the web interface on the firewall and Panorama
- Secure administrative access using CLI on the firewall and Panorama
- Authenticate end users through Captive Portal and GlobalProtect, including Clientless VPN and GlobalProtect Gateway
- Add a Certificate Profile to allow the RADIUS
server to authenticate with the firewall.
- Install the Server Certificate and Key on the RADIUS server.
- Add the hostname or IP address of the firewall as the RADIUS client.
- Upload the Root-CA and Intermediate CA certificates used to sign the RADIUS server certificate on the firewall.
- Create a RADIUS server profile that uses an EAP Authentication
The Auto option is no longer supported. For more information on changes to default behavior for this feature, see Changes to Default Behavior and Upgrade/Downgrade Considerations in the Release Notes.
- PEAP-MSCHAPv2(Default)—Protected EAP (PEAP) with Microsoft Challenge-Handshake Authentication Protocol (MSCHAPv2) provides improved security over PAP or CHAP by transmitting both the username and password in an encrypted tunnel. In addition, if you are using GlobalProtect, you can allow GlobalProtect users to change expired passwords.
- PEAP with GTC—Select Protected EAP (PEAPv0) with Generic Token Card (GTC) to use one-time tokens in an encrypted tunnel.
- EAP-TTLS with PAP—Select EAP with Tunneled Transport Layer Security and PAP to transport plaintext credentials for PAP in an encrypted tunnel.
- (Optional) Select whether GlobalProtect users
can change expired passwords:
- Allow users to change passwords after expiry(PEAP-MSCHAPv2 with GlobalProtect only)—Select this option to allow GlobalProtect users to change expired passwords.This feature is only supported with GlobalProtect client 4.1 or later.
- Select whether the user’s identity is anonymous in the
outer tunnel that the firewall creates to authenticate with the
- Make Outer Identity Anonymous—This
option is enabled by default to anonymize the user’s identity in
the outer tunnel, which is created after authenticating with the
server. You must configure the RADIUS server to allow access for anonymous users. Some RADIUS server configurations may not support anonymous outer IDs, and you may need to clear the option. When cleared, usernames are transmitted using cleartext.
- Make Outer Identity Anonymous—This option is enabled by default to anonymize the user’s identity in the outer tunnel, which is created after authenticating with the server.
- Select the Certificate Profile that the server uses to authenticate the firewall.
- Add each RADIUS server.
- Select DeviceAuthentication Profile, Add a profile, and assign the RADIUS server profile to the authentication profile.
- To enable administrator access, select DeviceSetupManagement, and select the Authentication Profile. Configure an Admin Role profile if the administrator uses a custom role and configure an access domain if the firewall has more than one virtual system.
- If you are using GlobalProtect, see Enable Authentication Using an Authentication Profile.
- If you are using Captive Portal, see Map IP Addresses to Usernames Using Captive Portal.
- Commit your changes to activate
them on the firewall.To confirm the authentication is successful, use the test authentication authentication-profile <auth-profile-name> username <username> password command. You can also use the Description column in MonitorAuthentication to view the EAP outer and inner identities. To troubleshoot, use grep to search the logs for the number in the Authentication ID column. For more information, refer to the PAN-OS Admin Guide.
Device > Server Profiles > RADIUS
Device > Server Profiles > RADIUS Select Device Server Profiles RADIUS or Panorama Server Profiles RADIUS to configure settings for the Remote Authentication Dial-In User ...
Configure RADIUS Authentication
Configure RADIUS Authentication You can configure RADIUS authentication for end users and firewall or Panorama administrators. For administrators, you can use RADIUS to manage authorization ...
Authentication Changes in PAN-OS 8.1
PEAP-MSCHAPv2 is now the default Authentication Protocol for RADIUS in PAN-OS 8.1; the Auto option is deprecated. ...
Authentication Features Extensible Authentication Protocol (EAP) Support for RADIUS RADIUS authentication supports PEAP-MSCHAPv2, PEAP with GTC, or EAP-TTLS with PAP for GlobalProtect & Captive Portal ...
PAN-OS 8.1 provides new authentication features: Extensible Authentication Protocol (EAP) Support for RADIUS and Authentication Using Custom Certificates for WildFire™ and PAN-DB. ...
Set Up RADIUS or TACACS+ Authentication
Set Up RADIUS or TACACS+ Authentication RADIUS is a client/server protocol and software that enables remote access servers to communicate with a central server to ...
Upgrade/Downgrade Considerations The following table lists the new features that have upgrade or downgrade impacts. Make sure you understand all potential changes before you upgrade ...
Configure RADIUS Authentication for Panorama Administrators
Configure RADIUS Authentication for Panorama Administrators You can use a RADIUS server to authenticate administrative access to the Panorama web interface. You can also define ...
Learn about the exciting new GlobalProtect™ features introduced in the PAN-OS® 8.1 release. ...