Authentication Changes in PAN-OS 8.1

PEAP-MSCHAPv2 is now the default Authentication Protocol for RADIUS in PAN-OS 8.1; the Auto option is deprecated; SAML Authentication changes.
PAN-OS 8.1 has the following changes in default behavior for Authentication features:
Extensible Authentication Protocol (EAP) Support for RADIUS
All new RADIUS server profiles use
as the default
Authentication Protocol
, and the
Make Outer Identity Anonymous
option is enabled by default.
option for the
Authentication Protocol
has been deprecated. With this deprecation, after you upgrade a firewall that was previously configured to use
, the firewall will use CHAP or PAP based on the protocol that was in use before the upgrade; a firewall that was not configured to use RADIUS authentication before upgrade will default to CHAP.
After you upgrade, Panorama templates use CHAP as the default authentication protocol.
When you downgrade a firewall that was configured to use PEAP-MSCHAPv2, PEAP with GTC, or EAP-TTLS with PAP, the firewall will default to CHAP.
SAML Authentication
PAN-OS 8.1.15 and later 8.1 releases
To ensure your users can continue to authenticate successfully with SAML Authentication, you must:
  • Ensure that you configure the signing certificate of your SAML Identity Provider as the
    Identity Provider Certificate
    on the SAML Identity Provider Server Profile.
  • Ensure that your SAML IdP sends signed SAML Responses, Assertions, or both.

Recommended For You