https://live.paloaltonetworks.com/t5/general-topics/cli-access-with-email-usernames/m-p/458002#M101869 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/70130">@aleksandar.astardzhiev</a>&nbsp;so I just test what you suggest with the ssh -l its the something. I can to screen prompting me to enter the password as soon as I enter the password the screen goes back to <A href="mailto:username@domain.com@ipaddress" target="_blank" rel="noopener">username@domain.com@ipaddress</A>&nbsp;password:&nbsp; and if I enter the password again I get a connection closed by ip address port 22. I think think the problem here is how its setup on the TACACS side.</P><P>As for the need, there are multiple domains and we have admins on different domains.</P><DIV class="">&nbsp;</DIV> Tue, 11 Jan 2022 16:47:20 GMT samisu 2022-01-11T16:47:20Z https://live.paloaltonetworks.com/t5/general-topics/cli-access-with-email-usernames/m-p/457830#M101850 <P>Has anyone been able to authenticate to the CLI using a username such as <A href="mailto:username@domain.com" target="_blank" rel="noopener">username@domain.com</A>&nbsp;over SSH using TACACS+ as authentication. Authenticating using the WebUI works fine, but when you try to SSH using ssh <A href="mailto:username@domain.com@ipaddress" target="_blank" rel="noopener">username@domain.com@ipaddress</A>&nbsp;it just sends you back to the username screen. ( user is a superadmin role)</P> Mon, 10 Jan 2022 19:27:59 GMT https://live.paloaltonetworks.com/t5/general-topics/cli-access-with-email-usernames/m-p/457830#M101850 samisu 2022-01-10T19:27:59Z https://live.paloaltonetworks.com/t5/general-topics/cli-access-with-email-usernames/m-p/457929#M101855 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/200594">@samisu</a>,</P> <P>- What do you mean by "back to username screen"? Do you mean password prompt"</P> <P>- I was thinking that two "@" could confuse the ssh command and it is not able to identify which part is username and which hostname, but I just test it and it seems it shouldn't be a problem. However just for the test, try to connect with "ssh -l <A href="mailto:username@domain.com" target="_blank">username@domain.com</A> ipaddress"</P> <P>- What firewall system logs are showing when you try to login with ssh? Does it show the whole username "username@domain.com"?</P> <P>&nbsp;</P> <P>On other hand - do you really need for the user to enter domain when accessing firewall management? If your TACACS is expecting username in the form of "username@domain.com", you can create Authentication Profile that will append the domain to the user input</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Astardzhiev_1-1641899966961.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/38567i8C13EF9DA715082A/image-size/medium?v=v2&amp;px=400" role="button" title="Astardzhiev_1-1641899966961.png" alt="Astardzhiev_1-1641899966961.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 11 Jan 2022 11:19:36 GMT https://live.paloaltonetworks.com/t5/general-topics/cli-access-with-email-usernames/m-p/457929#M101855 aleksandar.astardzhiev 2022-01-11T11:19:36Z https://live.paloaltonetworks.com/t5/general-topics/cli-access-with-email-usernames/m-p/457972#M101863 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/200594">@samisu</a>,</P> <P>This&nbsp;<EM>should&nbsp;</EM>work just based off of a quick test that I did as long as they SSH client being utilized isn't escaping anything. When you look at the logs (System -&gt; (subtype eq auth)) do you see the proper user being submitted?&nbsp;</P> Tue, 11 Jan 2022 15:26:04 GMT https://live.paloaltonetworks.com/t5/general-topics/cli-access-with-email-usernames/m-p/457972#M101863 BPry 2022-01-11T15:26:04Z https://live.paloaltonetworks.com/t5/general-topics/cli-access-with-email-usernames/m-p/458002#M101869 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/70130">@aleksandar.astardzhiev</a>&nbsp;so I just test what you suggest with the ssh -l its the something. I can to screen prompting me to enter the password as soon as I enter the password the screen goes back to <A href="mailto:username@domain.com@ipaddress" target="_blank" rel="noopener">username@domain.com@ipaddress</A>&nbsp;password:&nbsp; and if I enter the password again I get a connection closed by ip address port 22. I think think the problem here is how its setup on the TACACS side.</P><P>As for the need, there are multiple domains and we have admins on different domains.</P><DIV class="">&nbsp;</DIV> Tue, 11 Jan 2022 16:47:20 GMT https://live.paloaltonetworks.com/t5/general-topics/cli-access-with-email-usernames/m-p/458002#M101869 samisu 2022-01-11T16:47:20Z https://live.paloaltonetworks.com/t5/general-topics/cli-access-with-email-usernames/m-p/458003#M101870 <P>there is no logs in the PAN device showing any successful authentication. The logs from the TACACS server show it authenticated successfully. This points me to what I was thinking before. There is some type of miss configuration on the TACACS side. Thank you!</P> Tue, 11 Jan 2022 16:49:56 GMT https://live.paloaltonetworks.com/t5/general-topics/cli-access-with-email-usernames/m-p/458003#M101870 samisu 2022-01-11T16:49:56Z