Extensible Authentication Protocol (EAP) Support for RADIUS

RADIUS authentication supports PEAP-MSCHAPv2, PEAP with GTC, or EAP-TTLS with PAP for GlobalProtect & Captive Portal authentication & admin access to the firewall & Panorama.
To securely transport administrator or end user credentials between RADIUS servers and the firewall, you can now use the following Extensible Authentication Protocols (EAP): PEAP-MSCHAPv2, PEAP with GTC, or EAP-TTLS with PAP.
The supported EAP methods create encrypted tunnels between the firewall and the RADIUS server to securely transmit usernames, passwords, and other credential information. The tunnel created by EAP consists of an inner tunnel and an outer tunnel. After the RADIUS server’s certificate is validated, the firewall creates the outer tunnel using SSL. After the encrypted TLS outer tunnel has been established, the firewall creates the inner tunnel to transmit the user’s credentials to the server.
To further protect user information from eavesdropping, you can mask the username by anonymizing the user’s identity in the outer tunnel. For authentication using GlobalProtect, you can optionally allow GlobalProtect users with expired passwords to successfully log in by permitting them to change their password.
You can use EAP with RADIUS to:
  • Secure administrative access to the web interface on the firewall and Panorama
  • Secure administrative access using CLI on the firewall and Panorama
  • Authenticate end users through Captive Portal and GlobalProtect, including Clientless VPN and GlobalProtect Gateway
  1. Add a Certificate Profile to allow the RADIUS server to authenticate with the firewall.
    1. Install the Server Certificate and Key on the RADIUS server.
    2. Add the hostname or IP address of the firewall as the RADIUS client.
    3. Upload the Root-CA and Intermediate CA certificates used to sign the RADIUS server certificate on the firewall.
  2. Create a RADIUS server profile that uses an EAP Authentication Protocol:
    • PEAP-MSCHAPv2(Default)—Protected EAP (PEAP) with Microsoft Challenge-Handshake Authentication Protocol (MSCHAPv2) provides improved security over PAP or CHAP by transmitting both the username and password in an encrypted tunnel. In addition, if you are using GlobalProtect, you can allow GlobalProtect users to change expired passwords.
    • PEAP with GTC—Select Protected EAP (PEAPv0) with Generic Token Card (GTC) to use one-time tokens in an encrypted tunnel.
    • EAP-TTLS with PAP—Select EAP with Tunneled Transport Layer Security and PAP to transport plaintext credentials for PAP in an encrypted tunnel.
      eap_options_radius_profile.png
    The Auto option is no longer supported. For more information on changes to default behavior for this feature, see Changes to Default Behavior and Upgrade/Downgrade Considerations in the Release Notes.
  3. (Optional) Select whether GlobalProtect users can change expired passwords:
    • Allow users to change passwords after expiry(PEAP-MSCHAPv2 with GlobalProtect only)—Select this option to allow GlobalProtect users to change expired passwords.
      This feature is only supported with GlobalProtect client 4.1 or later.
  4. Select whether the user’s identity is anonymous in the outer tunnel that the firewall creates to authenticate with the server:
    • Make Outer Identity Anonymous—This option is enabled by default to anonymize the user’s identity in the outer tunnel, which is created after authenticating with the server.
      You must configure the RADIUS server to allow access for anonymous users. Some RADIUS server configurations may not support anonymous outer IDs, and you may need to clear the option. When cleared, usernames are transmitted using cleartext.
      eap_additional_options_radius_profile.png
  5. Select the Certificate Profile that the server uses to authenticate the firewall.
  6. Add each RADIUS server.
  7. Select DeviceAuthentication Profile, Add a profile, and assign the RADIUS server profile to the authentication profile.
  8. To enable administrator access, select DeviceSetupManagement, and select the Authentication Profile. Configure an Admin Role profile if the administrator uses a custom role and configure an access domain if the firewall has more than one virtual system.
  9. If you are using GlobalProtect, see Enable Authentication Using an Authentication Profile.
  10. If you are using Captive Portal, see Map IP Addresses to Usernames Using Captive Portal.
  11. Commit your changes to activate them on the firewall.
    To confirm the authentication is successful, use the test authentication authentication-profile <auth-profile-name> username <username> password command. You can also use the Description column in MonitorAuthentication to view the EAP outer and inner identities. To troubleshoot, use grep to search the logs for the number in the Authentication ID column. For more information, refer to the PAN-OS Admin Guide.

Related Documentation