Authentication Changes in PAN-OS 8.1

PEAP-MSCHAPv2 is now the default Authentication Protocol for RADIUS in PAN-OS 8.1; the Auto option is deprecated.
PAN-OS 8.1 has the following change in default behavior for Authentication features:
Feature
Change
Extensible Authentication Protocol (EAP) Support for RADIUS
All new RADIUS server profiles use
PEAP-MSCHAPv2
as the default
Authentication Protocol
, and the
Make Outer Identity Anonymous
option is enabled by default.
The
Auto
option for the
Authentication Protocol
has been deprecated. With this deprecation, after you upgrade a firewall that was previously configured to use
Auto
, the firewall will use CHAP or PAP based on the protocol that was in use before the upgrade; a firewall that was not configured to use RADIUS authentication before upgrade will default to CHAP.
After you upgrade, Panorama templates use CHAP as the default authentication protocol.
When you downgrade a firewall that was configured to use PEAP-MSCHAPv2, PEAP with GTC, or EAP-TTLS with PAP, the firewall will default to CHAP.

Related Documentation