Radius Authentication Failure: Timeout

ColeBryner — Fri, 10 Sep 2021 17:45:54 GMT

Issue: Authentication failure when using AD Account

Log: Authentication Timeout to server

Setup:

PanOS Version: 10.1.1

Panorama is not used

NPS Installed on Windows Server 2016

Radius Server Profile Created

Authentication Profile Created

Admin Role Created

Linked in Setup

NPS Client and Policy Created( 25461 - uses created admin role, uses PAP)

Tested:

Tested Policies on dev and worked

Possible issue:

The Authentication setting has second gear that sates "Stack Override:" not present in dev.

Question:

Is it Possible that the override is changing my settings and pointing to a local login instead?

Re: Radius Authentication Failure: Timeout

S.Cantwell — Fri, 10 Sep 2021 21:40:49 GMT

Hello

I am running 10.1.1 and I too have the same orange "override" gear, so that is part of the operating system for 10.1.1

If you have your auth profile to Radius, then should be working.

CLI into the firewall and issue:

tail follow yes mp-log authd.log (confirm my synatax..) and watch as your user attempts to authenticate.

just keep in mind that the FW is not failing your authentication... your Radius server is... and the FW merely acts a the messenger to say "invalid username or password" or similar.

As a test, try to create a local users (not admin account user) but under Device ==> Local Users. And create an auth profile, pointed back to that local user. If auth works locally (where the FW is the authentication server), but fails when you change to LDAP or Radius, this will confirm/illustrate that either your auth profile is incorrect (IP, shared secret, service account name, port name, etc.)

topic Radius Authentication Failure: Timeout in General Topics

Radius Authentication Failure: Timeout

Re: Radius Authentication Failure: Timeout