Invalid Role - RADIUS

Reply
L4 Transporter

Invalid Role - RADIUS

Greetings!

 

Am troubleshooting PA authentication using RADIUS. The user is part of the appropriate AD group for the RADIUS configuration and the PA and RADIUS server are both setup for RADIUS auth.

 

On the PA side, added an administrator and set their auth profile as the radius profile. When the user tries to login, the PA log shows:

 

User 'userX' authentication. From: IP

 

then another message

 

Authorization failed for user Userx via Web from IP : Invalid role

L7 Applicator

Re: Invalid Role - RADIUS

While I cannot remember the exact error we were seeing, however our usernames had a special character in the begining and the PAN did not like that at all.

 

Not sure if that is the case here.

L5 Sessionator

Re: Invalid Role - RADIUS

Hello,

 

when you added that new admin, can you check if you selected his/hers role as "dynamic" or "role based"? Could it be that you are missing role setup? Change that to dynamic just for test?

 

Regards

 

Luciano

L4 Transporter

Re: Invalid Role - RADIUS

Thank you for your reply. It's set to Dynamic - Superuser. 

L5 Sessionator

Re: Invalid Role - RADIUS

OK, next, did you check the box on your RADIUS profile "Administrator use only" (just underneath the profile name itself)?

L5 Sessionator

Re: Invalid Role - RADIUS

and if you did, did you also try to uncheck it :D

Highlighted
L5 Sessionator

Re: Invalid Role - RADIUS

Hi,

 

few more things that could be useful in troubleshooting:

less mp-log authd.log

tail follow yes mp-log authd.log

 

and if needed, big hammer:

debug authentication connection-show protocol-type <TACACS+|LDAP|Kerberos|RADIUS> connection-id <0-4294967295>
debug authentication connection-debug-on protocol-type <TACACS+|LDAP|Kerberos|RADIUS> connection-id <0-4294967295> debug-prefix <value>
debug authentication connection-debug-off protocol-type <TACACS+|LDAP|Kerberos|RADIUS> connection-id <0-4294967295>

 

last, but not the least, a few articles...

 

troubleshooting radius

https://live.paloaltonetworks.com/t5/Articles/Troubleshooting-RADIUS-Authentication/ta-p/59200

 

identify secret key mismatch for radius

https://live.paloaltonetworks.com/t5/Articles/How-to-Identify-Secret-Key-Mismatch-Between-Palo-Alto-...

 

Admin roles (in panorama but you can correlate):

https://live.paloaltonetworks.com/t5/Articles/Separate-Panorama-Admins-Access-Domains-using-RADIUS/t...

 

Regards

 

Luciano

Tags (1)
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!