1. Home
    2. PAN-OS
    3. PAN-OS® Release Notes
    4. PAN-OS 8.1 Release Information
    5. CLI and XML API Changes in PAN-OS 8.1
    6. Authentication CLI and XML API Changes

    Authentication CLI and XML API Changes

    CLI and XML API changes to authentication features in PAN-OS 8.1.
    PAN-OS 8.1 has the following CLI and XML API changes for Authentication features:
    Feature
    Change
    CLI access over SSH
    The minimum and maximum have changed for the amount of data transmitted over the Management (MGT) interface before PAN-OS regenerates the SSH keys that administrators use to access the firewall CLI:
    • PAN-OS 8.0 and earlier releases:
      # 
      set deviceconfig system ssh session-rekey mgmt data 
      {1-32 | default}
    • PAN-OS 8.1 release:
      # 
      set deviceconfig system ssh session-rekey mgmt data 
      {10-4000 | default}
    LDAP authentication
    The minimum value has changed for the interval (in seconds) after which PAN-OS tries to connect to an LDAP server after a previous failed attempt:
    • PAN-OS 8.0 and earlier releases:
      # 
      set 
      [shared]
       server-profile ldap 
      <name>
       retry-interval 
      <1-3600>
      # 
      set 
      [vsys <name>]
       server-profile ldap 
      <name>
       retry-interval 
      <1-3600>
    • PAN-OS 8.1 release:
      # 
      set 
      [shared]
       server-profile ldap 
      <name>
       retry-interval 
      <60-3600>
      # 
      set 
      [vsys <name>]
       server-profile ldap 
      <name>
       retry-interval 
      <60-3600>
    RADIUS authentication
    PAN-OS no longer provides the option to fall back to Password Authentication Protocol (PAP) when a RADIUS server doesn’t respond to Challenge-Handshake Authentication Protocol (CHAP) requests:
    • PAN-OS 8.0 and earlier releases:
      # 
      set 
      [shared]
       server-profile radius 
      <name>
       protocol 
      {CHAP | PAP | Auto}
      # 
      set 
      [vsys <name>]
       server-profile radius 
      <name>
       protocol 
      {CHAP | PAP | Auto}
    • PAN-OS 8.1 release:
      # 
      set 
      [shared]
       server-profile radius 
      <name>
       protocol 
      
{EAP-TTLS-with-PAP | PEAP-MSCHAPv2 | PEAP-with-GTC | CHAP | PAP}
      # 
      set 
      [vsys <name>]
       server-profile radius 
      <name>
       protocol 
      
{EAP-TTLS-with-PAP | PEAP-MSCHAPv2 | PEAP-with-GTC | CHAP | PAP}
    TACACS+ authentication
    PAN-OS no longer provides the option to fall back to Password Authentication Protocol (PAP) when a TACACS+ server doesn’t respond to Challenge-Handshake Authentication Protocol (CHAP) requests:
    • PAN-OS 8.0 and earlier releases:
      # 
      set 
      [shared]
       server-profile tacplus 
      <name>
       protocol 
      {CHAP | PAP | Auto}
      # 
      set 
      [vsys <name>]
       server-profile tacplus 
      <name>
       protocol 
      {CHAP | PAP | Auto}
    • PAN-OS 8.1 release:
      # 
      set 
      [shared]
       server-profile tacplus 
      <name>
       protocol 
      {CHAP | PAP}
      # 
      set 
      [vsys <name>]
       server-profile tacplus 
      <name>
       protocol 
      {CHAP | PAP}

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2023 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo