The Palo Alto, Cisco ACS, or other Validation server logs show an error saying that it cannot get the password attribute.
The validation server logs may show access-reject errors related to the LDAP password or LDAP username.
text=Sending Access-Reject for user [jsmith] , reason=7; User not found in LDAP. Can't get password attribute
The Palo Alto or Cisco ACS is using other protocols that are not supported.
Use the password authentication protocol(PAP). Other protocols will need to be disabled, including CHAP/MSCHAP/PEAP, which are not currently supported.
Click here for instructions for Palo Alto
Lastly, ensure that the Radius shared secret matches.