Authentication Changes in PAN-OS 8.1

PEAP-MSCHAPv2 is now the default Authentication Protocol for RADIUS in PAN-OS 8.1; the Auto option is deprecated.
PAN-OS 8.1 has the following change in default behavior for Authentication features:
FeatureChange
Extensible Authentication Protocol (EAP) Support for RADIUS
All new RADIUS server profiles use PEAP-MSCHAPv2 as the default Authentication Protocol, and the Make Outer Identity Anonymous option is enabled by default.
The Auto option for the Authentication Protocol has been deprecated. With this deprecation, after you upgrade a firewall that was previously configured to use Auto, the firewall will use CHAP or PAP based on the protocol that was in use before the upgrade; a firewall that was not configured to use RADIUS authentication before upgrade will default to CHAP.
After you upgrade, Panorama templates use CHAP as the default authentication protocol.
When you downgrade a firewall that was configured to use PEAP-MSCHAPv2, PEAP with GTC, or EAP-TTLS with PAP, the firewall will default to CHAP.

Related Documentation