https://live.paloaltonetworks.com/t5/general-topics/ssh-to-management-interface-radius-auth-pan-os-10-0-4/m-p/399595#M91556 <P>I also noted the following:</P><P>&nbsp;</P><P data-unlink="true">Due to a SAML authentication need, we have the default username set to UPN so that group memberships are seen accurately. When I specify the Username modifier for the RADIUS profile to be %USERINPUT%@%USERDOMAIN%&nbsp;&nbsp;the allow list check begins failing for the auth profile. Wouldn't it stand to reason the Username modifier should be applied before the group check is performed? Wouldn't it also make sense to honor the alternate username defined in the group mapping settings?</P><P>&nbsp;</P><P data-unlink="true">I can get the SSH connection to work by setting the auth profile to allow all, and updating the Username modifier as per the above. This makes me think it doesn't like the format of %USERNAME%@%DOMAIN%@%FW-ADDRESS%. I know SSH can do this format because I've used it in other implementations. The question becomes, how to get the group mappings for SAML and RADIUS to both play nicely on the same domain without querying the groups twice..... for now I have 2 group mapping settings defined, one for SAML and one for RADIUS with the different groups in each.</P><P data-unlink="true">&nbsp;</P><P data-unlink="true">Opened a ticket and will report back if I find anything else out.</P> Sat, 17 Apr 2021 02:12:32 GMT D_Baerry 2021-04-17T02:12:32Z https://live.paloaltonetworks.com/t5/general-topics/ssh-to-management-interface-radius-auth-pan-os-10-0-4/m-p/399571#M91555 <P>Working on an HA Pair of PA-820 firewalls and just finished configuring auth for management interfaces. Went to test, and found that the firewall said auth succeeds, but the SSH connection immediately drops.</P><P>&nbsp;</P><P>Config:</P><UL><LI>Auth profile is RADIUS (Windows NPS server)</LI><LI>PAN OS 10.0.4</LI></UL><P>Tests:</P><UL><LI>Authentication to web interface works for user via RADIUS profile</LI><LI>Authentication to SSH interface says authenticated in the system log, but the SSH connection immediately drops<UL><LI>Tried connection via SSH client on a Mac, Putty, and Windows SSH client. All yield the same results.</LI><LI>debug log for SSH client shows nothing</LI></UL></LI><LI>Authentication to SSH via local user accounts on the firewall have no issue</LI></UL><P>&nbsp;</P><P>Anyone seen this before? Possible bug?</P> Fri, 16 Apr 2021 23:31:32 GMT https://live.paloaltonetworks.com/t5/general-topics/ssh-to-management-interface-radius-auth-pan-os-10-0-4/m-p/399571#M91555 D_Baerry 2021-04-16T23:31:32Z https://live.paloaltonetworks.com/t5/general-topics/ssh-to-management-interface-radius-auth-pan-os-10-0-4/m-p/399595#M91556 <P>I also noted the following:</P><P>&nbsp;</P><P data-unlink="true">Due to a SAML authentication need, we have the default username set to UPN so that group memberships are seen accurately. When I specify the Username modifier for the RADIUS profile to be %USERINPUT%@%USERDOMAIN%&nbsp;&nbsp;the allow list check begins failing for the auth profile. Wouldn't it stand to reason the Username modifier should be applied before the group check is performed? Wouldn't it also make sense to honor the alternate username defined in the group mapping settings?</P><P>&nbsp;</P><P data-unlink="true">I can get the SSH connection to work by setting the auth profile to allow all, and updating the Username modifier as per the above. This makes me think it doesn't like the format of %USERNAME%@%DOMAIN%@%FW-ADDRESS%. I know SSH can do this format because I've used it in other implementations. The question becomes, how to get the group mappings for SAML and RADIUS to both play nicely on the same domain without querying the groups twice..... for now I have 2 group mapping settings defined, one for SAML and one for RADIUS with the different groups in each.</P><P data-unlink="true">&nbsp;</P><P data-unlink="true">Opened a ticket and will report back if I find anything else out.</P> Sat, 17 Apr 2021 02:12:32 GMT https://live.paloaltonetworks.com/t5/general-topics/ssh-to-management-interface-radius-auth-pan-os-10-0-4/m-p/399595#M91556 D_Baerry 2021-04-17T02:12:32Z https://live.paloaltonetworks.com/t5/general-topics/ssh-to-management-interface-radius-auth-pan-os-10-0-4/m-p/399602#M91557 <P>I've got a config that is where I want it to be, and works, but seems to indicate there are 2 (possibly related) bugs. Here is the config in a nutshell:</P><P>&nbsp;</P><P><U>Management Auth</U></P><UL><LI>RADIUS Auth Profile with the username modifier set to %USERDOMAIN%\%USERINPUT%</LI><LI>Allow List in Auth Profile set to Admin Group</LI><LI>Group Mapping Profile (pulling from LDAP) set with Primary Username to be sAMAccountName</LI></UL><P>This setup allows me to leave the SAML config alone and login successfully to both SSH and WEBUI.</P><P>&nbsp;</P><P><STRONG>Potential Bugs:</STRONG>&nbsp;When primary username is set to UserPrincipalName in Group Mappings</P><UL><LI>When Username modifier is set to <A href="mailto:%USERINPUT%@%USERDOMAIN%" target="_blank" rel="noopener">%USERINPUT%@%USERDOMAIN%</A>&nbsp;the %USERDOMAIN% is not being applied during user mapping check</LI><LI>When user enters fully qualified identity for SSH login (Username modifier set to %USERINPUT%) the SSH session terminates right after successful auth</LI></UL> Sat, 17 Apr 2021 02:28:23 GMT https://live.paloaltonetworks.com/t5/general-topics/ssh-to-management-interface-radius-auth-pan-os-10-0-4/m-p/399602#M91557 D_Baerry 2021-04-17T02:28:23Z