Authentication CLI and XML API Changes
Focus
Focus

Authentication CLI and XML API Changes

Table of Contents
End-of-Life (EoL)

Authentication CLI and XML API Changes

CLI and XML API changes to authentication features in PAN-OS 8.1.
PAN-OS 8.1 has the following CLI and XML API changes for Authentication features:
Feature
Change
CLI access over SSH
The minimum and maximum have changed for the amount of data transmitted over the Management (MGT) interface before PAN-OS regenerates the SSH keys that administrators use to access the firewall CLI:
  • PAN-OS 8.0 and earlier releases:
    #
    set deviceconfig system ssh session-rekey mgmt data
    {1-32 | default}
  • PAN-OS 8.1 release:
    #
    set deviceconfig system ssh session-rekey mgmt data
    {10-4000 | default}
LDAP authentication
The minimum value has changed for the interval (in seconds) after which PAN-OS tries to connect to an LDAP server after a previous failed attempt:
  • PAN-OS 8.0 and earlier releases:
    #
    set
    [shared]
    server-profile ldap
    <name>
    retry-interval
    <1-3600>
    #
    set
    [vsys <name>]
    server-profile ldap
    <name>
    retry-interval
    <1-3600>
  • PAN-OS 8.1 release:
    #
    set
    [shared]
    server-profile ldap
    <name>
    retry-interval
    <60-3600>
    #
    set
    [vsys <name>]
    server-profile ldap
    <name>
    retry-interval
    <60-3600>
RADIUS authentication
PAN-OS no longer provides the option to fall back to Password Authentication Protocol (PAP) when a RADIUS server doesn’t respond to Challenge-Handshake Authentication Protocol (CHAP) requests:
  • PAN-OS 8.0 and earlier releases:
    #
    set
    [shared]
    server-profile radius
    <name>
    protocol
    {CHAP | PAP | Auto}
    #
    set
    [vsys <name>]
    server-profile radius
    <name>
    protocol
    {CHAP | PAP | Auto}
  • PAN-OS 8.1 release:
    #
    set
    [shared]
    server-profile radius
    <name>
    protocol
    {EAP-TTLS-with-PAP | PEAP-MSCHAPv2 | PEAP-with-GTC | CHAP | PAP}
    #
    set
    [vsys <name>]
    server-profile radius
    <name>
    protocol
    {EAP-TTLS-with-PAP | PEAP-MSCHAPv2 | PEAP-with-GTC | CHAP | PAP}
TACACS+ authentication
PAN-OS no longer provides the option to fall back to Password Authentication Protocol (PAP) when a TACACS+ server doesn’t respond to Challenge-Handshake Authentication Protocol (CHAP) requests:
  • PAN-OS 8.0 and earlier releases:
    #
    set
    [shared]
    server-profile tacplus
    <name>
    protocol
    {CHAP | PAP | Auto}
    #
    set
    [vsys <name>]
    server-profile tacplus
    <name>
    protocol
    {CHAP | PAP | Auto}
  • PAN-OS 8.1 release:
    #
    set
    [shared]
    server-profile tacplus
    <name>
    protocol
    {CHAP | PAP}
    #
    set
    [vsys <name>]
    server-profile tacplus
    <name>
    protocol
    {CHAP | PAP}

Recommended For You