Palo Alto Radius MFA fails with 500 Internal Server Error

I have PrivacyIdea installed on a Rocky Linux 8 VM via PIP, all PrivacyIdea functions appear to work there. I have also set up FreeRADIUS with a challenge site configuration using LDAP and the PrivacyIdea perl module. Using NTRadPing I am able to auth via LDAP, then set my state attribute and auth using my TOTP.

We’re planning to use this for our GlobalProtect VPN through our Palo Alto firewall, I have the radius server added to the Palo and was able to test that the LDAP portion of the RADIUS auth worked via the Palo’s CLI. I had also created a simple site config that only used the PrivacyIdea perl module and was able to successfully auth via the Palo’s CLI. Since we have people actively using the VPN, we wanted to test the full MFA process before switching users over to it. In order to do that we decided to try using the RADIUS auth profile for the Palo’s web interface on a single user. The LDAP credentials work, then it gives another password box that I enter my TOTP in and I get a “500 INTERNAL SERVER ERROR”. Looking through the PrivacyIdea logs I see this error: "Illegal mix of collations (latin1_swedish_ci,IMPLICIT) and (utf8_general_ci,COERCIBLE) for operation '='" and this is the SQL statement from the PrivacyIdea logs: [SQL: SELECT challenge.id AS challenge_id, challenge.transaction_id AS challenge_transaction_id, challenge.data AS challenge_data, challenge.challenge AS challenge_challenge, challenge.`session` AS `challenge_session`, challenge.serial AS challenge_serial, challenge.timestamp AS challenge_timestamp, challenge.expiration AS challenge_expiration, challenge.received_count AS challenge_received_count, challenge.otp_valid AS challenge_otp_valid FROM challenge WHERE challenge.serial = %(serial_1)s AND challenge.transaction_id = %(transaction_id_1)s] [parameters: {'serial_1': 'TOTP0000D7C8', 'transaction_id_1': '...oJ.B2.S..\x07...'}]. The FreeRADIUS debug output does show that my TOTP token was entered, and it also shows the correct state attribute.

Does anyone have any idea what I can do to resolve this issue? I’d like to have a good test done through the Palo before shipping this out for everyone to use.

Hi,

Seems to be a problem with the SQL database.
Apparently you need to change the collation of the database to make them match.

Best Regards
Colin

1 Like

That did it! Thanks for the assist, I came across that solution as well, but was hesitant to make that change to the DB. I didn’t want to end up causing other issues for PrivacyIdea.