-
Título
Defender with Palo Alto firewall firmware version 7.0.x -
Descripción
Defender will not return PAP replies with Palo Alto firmware 7.0.3. Defender may have been tested and working with a 6.x release of Palo Alto firmware. -
Causa
Palo Alto firmware 7.0.x has significant changes from 6.x with regards to PAP and CHAP. -
Resolución
These steps below may allow the Palo Alto firewall to function correctly with Defender. Please save and review the Palo Alto configuration prior to making any changes in the event that reverting the changes is required:
1. Update OS on Palo Alto to 7.0.4 or later (this allows adjustment of the CHAP/PAP settings as below)
2. Issue the following on the firewall to force PAP (after 7.0 Palo Alto tries to use CHAP with fallback to PAP, though this fallback doesn’t appear to work)
> Set authentication radius-auth-type pap
Run this command to confirm setting is now PAP:
>show system state | match radius-auth-type
To rollback, the command is >Set authentication radius-auth-type auto
3. On the Palo Alto under Device/Authentication Profile, click the RADIUS profile and change Username Modifier to %USERINPUT% Solution in Palo Alto 7.0.4 or aboveNote that on the Palo Alto Panorama devices, configuration via "set authentication radius-auth-type" was not added until firmware 7.0.6.