https://live.paloaltonetworks.com/t5/general-topics/invalid-role-radius/m-p/63752#M38315 <P>OK, next, did you check the box on your RADIUS profile "Administrator use only" (just underneath the profile name itself)?</P> Thu, 27 Aug 2015 21:18:07 GMT Lucky 2015-08-27T21:18:07Z https://live.paloaltonetworks.com/t5/general-topics/invalid-role-radius/m-p/63736#M38303 <P>Greetings!</P><P>&nbsp;</P><P>Am troubleshooting PA authentication using RADIUS. The user is part of the appropriate AD group for the RADIUS configuration and the PA and RADIUS server are both setup for RADIUS auth.</P><P>&nbsp;</P><P>On the PA side, added an administrator and set their auth profile as the radius profile. When the user tries to login, the PA log shows:</P><P>&nbsp;</P><P>User 'userX' authentication. From: IP</P><P>&nbsp;</P><P>then another message</P><P>&nbsp;</P><P>Authorization failed for user Userx via Web from IP : Invalid role</P> Thu, 27 Aug 2015 19:00:20 GMT https://live.paloaltonetworks.com/t5/general-topics/invalid-role-radius/m-p/63736#M38303 SDorsey 2015-08-27T19:00:20Z https://live.paloaltonetworks.com/t5/general-topics/invalid-role-radius/m-p/63738#M38305 <P>While I cannot remember the exact error we were seeing, however our usernames had a special character in the begining and the PAN did not like that at all.</P><P>&nbsp;</P><P>Not sure if that is the case here.</P> Thu, 27 Aug 2015 19:17:14 GMT https://live.paloaltonetworks.com/t5/general-topics/invalid-role-radius/m-p/63738#M38305 OtakarKlier 2015-08-27T19:17:14Z https://live.paloaltonetworks.com/t5/general-topics/invalid-role-radius/m-p/63749#M38312 <P>Hello,</P><P>&nbsp;</P><P>when you added that new admin, can you check if you selected his/hers role as "dynamic" or "role based"? Could it be that you are missing role setup? Change that to dynamic just for test?</P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Luciano</P> Thu, 27 Aug 2015 21:02:27 GMT https://live.paloaltonetworks.com/t5/general-topics/invalid-role-radius/m-p/63749#M38312 Lucky 2015-08-27T21:02:27Z https://live.paloaltonetworks.com/t5/general-topics/invalid-role-radius/m-p/63751#M38314 <P>Thank you for your reply. It's set to Dynamic - Superuser.&nbsp;</P> Thu, 27 Aug 2015 21:15:26 GMT https://live.paloaltonetworks.com/t5/general-topics/invalid-role-radius/m-p/63751#M38314 SDorsey 2015-08-27T21:15:26Z https://live.paloaltonetworks.com/t5/general-topics/invalid-role-radius/m-p/63752#M38315 <P>OK, next, did you check the box on your RADIUS profile "Administrator use only" (just underneath the profile name itself)?</P> Thu, 27 Aug 2015 21:18:07 GMT https://live.paloaltonetworks.com/t5/general-topics/invalid-role-radius/m-p/63752#M38315 Lucky 2015-08-27T21:18:07Z https://live.paloaltonetworks.com/t5/general-topics/invalid-role-radius/m-p/63753#M38316 <P>and if you did, did you also try to uncheck it <span class="lia-unicode-emoji" title=":grinning_face_with_smiling_eyes:">😄</span></P> Thu, 27 Aug 2015 21:20:02 GMT https://live.paloaltonetworks.com/t5/general-topics/invalid-role-radius/m-p/63753#M38316 Lucky 2015-08-27T21:20:02Z https://live.paloaltonetworks.com/t5/general-topics/invalid-role-radius/m-p/63757#M38320 <P>Hi,</P><P>&nbsp;</P><P>few more things that could be useful in troubleshooting:</P><P>less mp-log authd.log</P><P>tail follow yes mp-log authd.log</P><P>&nbsp;</P><P>and if needed, big hammer:</P><P>debug authentication connection-show protocol-type &lt;TACACS+|LDAP|Kerberos|RADIUS&gt; connection-id &lt;0-4294967295&gt;<BR />debug authentication connection-debug-on protocol-type &lt;TACACS+|LDAP|Kerberos|RADIUS&gt; connection-id &lt;0-4294967295&gt; debug-prefix &lt;value&gt;<BR />debug authentication connection-debug-off protocol-type &lt;TACACS+|LDAP|Kerberos|RADIUS&gt; connection-id &lt;0-4294967295&gt;</P><P>&nbsp;</P><P>last, but not the least, a few articles...</P><P>&nbsp;</P><P>troubleshooting radius</P><P><A href="https://live.paloaltonetworks.com/t5/Articles/Troubleshooting-RADIUS-Authentication/ta-p/59200" target="_blank">https://live.paloaltonetworks.com/t5/Articles/Troubleshooting-RADIUS-Authentication/ta-p/59200</A></P><P>&nbsp;</P><P>identify secret key mismatch for radius</P><P><A href="https://live.paloaltonetworks.com/t5/Articles/How-to-Identify-Secret-Key-Mismatch-Between-Palo-Alto-Networks/ta-p/54612" target="_blank">https://live.paloaltonetworks.com/t5/Articles/How-to-Identify-Secret-Key-Mismatch-Between-Palo-Alto-Networks/ta-p/54612</A></P><P>&nbsp;</P><P>Admin roles (in panorama but you can correlate):</P><P><A href="https://live.paloaltonetworks.com/t5/Articles/Separate-Panorama-Admins-Access-Domains-using-RADIUS/ta-p/54432" target="_blank">https://live.paloaltonetworks.com/t5/Articles/Separate-Panorama-Admins-Access-Domains-using-RADIUS/ta-p/54432</A></P><P>&nbsp;</P><P>Regards</P><P>&nbsp;</P><P>Luciano</P> Thu, 27 Aug 2015 21:55:16 GMT https://live.paloaltonetworks.com/t5/general-topics/invalid-role-radius/m-p/63757#M38320 Lucky 2015-08-27T21:55:16Z https://live.paloaltonetworks.com/t5/general-topics/invalid-role-radius/m-p/535087#M110097 <P>I am facing the exact same issue. Did you happen to resolve this? If so, could you please let me know the fix.</P> Mon, 20 Mar 2023 15:02:09 GMT https://live.paloaltonetworks.com/t5/general-topics/invalid-role-radius/m-p/535087#M110097 CharlesAntonyAlfred 2023-03-20T15:02:09Z https://live.paloaltonetworks.com/t5/general-topics/invalid-role-radius/m-p/549411#M112107 <P>Same issue as well</P> <P>&nbsp;</P> Fri, 14 Jul 2023 19:57:51 GMT https://live.paloaltonetworks.com/t5/general-topics/invalid-role-radius/m-p/549411#M112107 Schneur_Feldman 2023-07-14T19:57:51Z