Authentication CLI and XML API Changes

CLI and XML API changes to authentication features in PAN-OS 8.1.
PAN-OS 8.1 has the following CLI and XML API changes for Authentication features:
FeatureChange
CLI access over SSH
The minimum and maximum have changed for the amount of data transmitted over the Management (MGT) interface before PAN-OS regenerates the SSH keys that administrators use to access the firewall CLI:
  • PAN-OS 8.0 and earlier releases:
    # set deviceconfig system ssh session-rekey mgmt data {1-32 | default}
    Code copied to clipboard
    Unable to copy due to lack of browser support.
  • PAN-OS 8.1 release:
    # set deviceconfig system ssh session-rekey mgmt data {10-4000 | default}
    Code copied to clipboard
    Unable to copy due to lack of browser support.
LDAP authentication
The minimum value has changed for the interval (in seconds) after which PAN-OS tries to connect to an LDAP server after a previous failed attempt:
  • PAN-OS 8.0 and earlier releases:
    # set [shared] server-profile ldap <name> retry-interval <1-3600>
    Code copied to clipboard
    Unable to copy due to lack of browser support.
    # set [vsys <name>] server-profile ldap <name> retry-interval <1-3600>
    Code copied to clipboard
    Unable to copy due to lack of browser support.
  • PAN-OS 8.1 release:
    # set [shared] server-profile ldap <name> retry-interval <60-3600>
    Code copied to clipboard
    Unable to copy due to lack of browser support.
    # set [vsys <name>] server-profile ldap <name> retry-interval <60-3600>
    Code copied to clipboard
    Unable to copy due to lack of browser support.
RADIUS authentication
PAN-OS no longer provides the option to fall back to Password Authentication Protocol (PAP) when a RADIUS server doesn’t respond to Challenge-Handshake Authentication Protocol (CHAP) requests:
  • PAN-OS 8.0 and earlier releases:
    # set [shared] server-profile radius <name> protocol {CHAP | PAP | Auto}
    Code copied to clipboard
    Unable to copy due to lack of browser support.
    # set [vsys <name>] server-profile radius <name> protocol {CHAP | PAP | Auto}
    Code copied to clipboard
    Unable to copy due to lack of browser support.
  • PAN-OS 8.1 release:
    # set [shared] server-profile radius <name> protocol 
    {EAP-TTLS-with-PAP | PEAP-MSCHAPv2 | PEAP-with-GTC | CHAP | PAP}
    Code copied to clipboard
    Unable to copy due to lack of browser support.
    # set [vsys <name>] server-profile radius <name> protocol 
    {EAP-TTLS-with-PAP | PEAP-MSCHAPv2 | PEAP-with-GTC | CHAP | PAP}
    Code copied to clipboard
    Unable to copy due to lack of browser support.
TACACS+ authentication
PAN-OS no longer provides the option to fall back to Password Authentication Protocol (PAP) when a TACACS+ server doesn’t respond to Challenge-Handshake Authentication Protocol (CHAP) requests:
  • PAN-OS 8.0 and earlier releases:
    # set [shared] server-profile tacplus <name> protocol {CHAP | PAP | Auto}
    Code copied to clipboard
    Unable to copy due to lack of browser support.
    # set [vsys <name>] server-profile tacplus <name> protocol {CHAP | PAP | Auto}
    Code copied to clipboard
    Unable to copy due to lack of browser support.
  • PAN-OS 8.1 release:
    # set [shared] server-profile tacplus <name> protocol {CHAP | PAP}
    Code copied to clipboard
    Unable to copy due to lack of browser support.
    # set [vsys <name>] server-profile tacplus <name> protocol {CHAP | PAP}
    Code copied to clipboard
    Unable to copy due to lack of browser support.

Related Documentation