Focus

Authentication Changes in PAN-OS 8.1

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

App-ID Changes in PAN-OS 8.1

Content Inspection Changes in PAN-OS 8.1

Authentication Changes in PAN-OS 8.1

PEAP-MSCHAPv2 is now the default Authentication Protocol for RADIUS in PAN-OS 8.1; the Auto option is deprecated; SAML Authentication changes.

PAN-OS 8.1 has the following changes in default behavior for Authentication features:

Feature Change

Feature	Change
Extensible Authentication Protocol (EAP) Support for RADIUS	All new RADIUS server profiles use PEAP-MSCHAPv2 as the default Authentication Protocol, and the Make Outer Identity Anonymous option is enabled by default. The Auto option for the Authentication Protocol has been deprecated. With this deprecation, after you upgrade a firewall that was previously configured to use Auto, the firewall will use CHAP or PAP based on the protocol that was in use before the upgrade; a firewall that was not configured to use RADIUS authentication before upgrade will default to CHAP. After you upgrade, Panorama templates use CHAP as the default authentication protocol. When you downgrade a firewall that was configured to use PEAP-MSCHAPv2, PEAP with GTC, or EAP-TTLS with PAP, the firewall will default to CHAP.
SAML Authentication (`PAN-OS 8.1.15 and later 8.1 releases`)	To ensure your users can continue to authenticate successfully with SAML Authentication, you must: Ensure that you configure the signing certificate of your SAML Identity Provider as the Identity Provider Certificate on the SAML Identity Provider Server Profile. Ensure that your SAML IdP sends signed SAML Responses, Assertions, or both.

Extensible Authentication Protocol (EAP) Support for RADIUS

All new RADIUS server profiles use PEAP-MSCHAPv2 as the default Authentication Protocol, and the Make Outer Identity Anonymous option is enabled by default.

The Auto option for the Authentication Protocol has been deprecated. With this deprecation, after you upgrade a firewall that was previously configured to use Auto, the firewall will use CHAP or PAP based on the protocol that was in use before the upgrade; a firewall that was not configured to use RADIUS authentication before upgrade will default to CHAP.

After you upgrade, Panorama templates use CHAP as the default authentication protocol.

When you downgrade a firewall that was configured to use PEAP-MSCHAPv2, PEAP with GTC, or EAP-TTLS with PAP, the firewall will default to CHAP.

SAML Authentication

(PAN-OS 8.1.15 and later 8.1 releases)

To ensure your users can continue to authenticate successfully with SAML Authentication, you must:

Ensure that you configure the signing certificate of your SAML Identity Provider as the Identity Provider Certificate on the SAML Identity Provider Server Profile.
Ensure that your SAML IdP sends signed SAML Responses, Assertions, or both.

App-ID Changes in PAN-OS 8.1

Content Inspection Changes in PAN-OS 8.1

Next-Generation Firewall Docs

Authentication Changes in PAN-OS 8.1

Next-Generation Firewall Docs

Authentication Changes in PAN-OS 8.1

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner