: Authentication CLI and XML API Changes
Focus
Focus

Authentication CLI and XML API Changes

Table of Contents

Authentication CLI and XML API Changes

CLI and XML API changes to authentication features in PAN-OS 8.1.
PAN-OS 8.1 has the following CLI and XML API changes for Authentication features:
Feature
Change
CLI access over SSH
The minimum and maximum have changed for the amount of data transmitted over the Management (MGT) interface before PAN-OS regenerates the SSH keys that administrators use to access the firewall CLI:
  • PAN-OS 8.0 and earlier releases:
    #
    set deviceconfig system ssh session-rekey mgmt data
    {1-32 | default}
  • PAN-OS 8.1 release:
    #
    set deviceconfig system ssh session-rekey mgmt data
    {10-4000 | default}
LDAP authentication
The minimum value has changed for the interval (in seconds) after which PAN-OS tries to connect to an LDAP server after a previous failed attempt:
  • PAN-OS 8.0 and earlier releases:
    #
    set
    [shared]
    server-profile ldap
    <name>
    retry-interval
    <1-3600>
    #
    set
    [vsys <name>]
    server-profile ldap
    <name>
    retry-interval
    <1-3600>
  • PAN-OS 8.1 release:
    #
    set
    [shared]
    server-profile ldap
    <name>
    retry-interval
    <60-3600>
    #
    set
    [vsys <name>]
    server-profile ldap
    <name>
    retry-interval
    <60-3600>
RADIUS authentication
PAN-OS no longer provides the option to fall back to Password Authentication Protocol (PAP) when a RADIUS server doesn’t respond to Challenge-Handshake Authentication Protocol (CHAP) requests:
  • PAN-OS 8.0 and earlier releases:
    #
    set
    [shared]
    server-profile radius
    <name>
    protocol
    {CHAP | PAP | Auto}
    #
    set
    [vsys <name>]
    server-profile radius
    <name>
    protocol
    {CHAP | PAP | Auto}
  • PAN-OS 8.1 release:
    #
    set
    [shared]
    server-profile radius
    <name>
    protocol
    {EAP-TTLS-with-PAP | PEAP-MSCHAPv2 | PEAP-with-GTC | CHAP | PAP}
    #
    set
    [vsys <name>]
    server-profile radius
    <name>
    protocol
    {EAP-TTLS-with-PAP | PEAP-MSCHAPv2 | PEAP-with-GTC | CHAP | PAP}
TACACS+ authentication
PAN-OS no longer provides the option to fall back to Password Authentication Protocol (PAP) when a TACACS+ server doesn’t respond to Challenge-Handshake Authentication Protocol (CHAP) requests:
  • PAN-OS 8.0 and earlier releases:
    #
    set
    [shared]
    server-profile tacplus
    <name>
    protocol
    {CHAP | PAP | Auto}
    #
    set
    [vsys <name>]
    server-profile tacplus
    <name>
    protocol
    {CHAP | PAP | Auto}
  • PAN-OS 8.1 release:
    #
    set
    [shared]
    server-profile tacplus
    <name>
    protocol
    {CHAP | PAP}
    #
    set
    [vsys <name>]
    server-profile tacplus
    <name>
    protocol
    {CHAP | PAP}

Recommended For You