Am troubleshooting PA authentication using RADIUS. The user is part of the appropriate AD group for the RADIUS configuration and the PA and RADIUS server are both setup for RADIUS auth.
On the PA side, added an administrator and set their auth profile as the radius profile. When the user tries to login, the PA log shows:
User 'userX' authentication. From: IP
then another message
Authorization failed for user Userx via Web from IP : Invalid role
While I cannot remember the exact error we were seeing, however our usernames had a special character in the begining and the PAN did not like that at all.
Not sure if that is the case here.
when you added that new admin, can you check if you selected his/hers role as "dynamic" or "role based"? Could it be that you are missing role setup? Change that to dynamic just for test?
few more things that could be useful in troubleshooting:
less mp-log authd.log
tail follow yes mp-log authd.log
and if needed, big hammer:
debug authentication connection-show protocol-type <TACACS+|LDAP|Kerberos|RADIUS> connection-id <0-4294967295>
debug authentication connection-debug-on protocol-type <TACACS+|LDAP|Kerberos|RADIUS> connection-id <0-4294967295> debug-prefix <value>
debug authentication connection-debug-off protocol-type <TACACS+|LDAP|Kerberos|RADIUS> connection-id <0-4294967295>
last, but not the least, a few articles...
identify secret key mismatch for radius
Admin roles (in panorama but you can correlate):
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!