Admin Accounts Configured using RADIUS are not able to SSH to the Firewall

Printer Friendly Page

Issue

If a RADIUS admin user does not authenticate to the Palo Alto Networks firewall through the WebUI first, that user cannot authenticate through the SSH.

Cause

When configuring the local admin user on the Palo Alto Networks firewall, a home directory is created for that user. If an admin user's authentication profile is defined for RADIUS only, then the firewall does not have that user's corresponding home directory. In this case, the first time login through SSH fails because there is no home directory on the firewall. When the user firsts logs on through the WebUI, it will create that home directory for subsequent SSH logons.

Resolution

Admin accounts using RADIUS require a WebUI logon first, before the SSH logon works. An additional workaround for this issue is to configure local admin accounts on the firewall through the Device > Administrators tab for admins that would only have CLI command access.

owner: dmaynard

Comments

PAN FWs should give a default banner to that affect, as soon as we enter username in CLI. Many users will waste a lot of time before they find this out.

Hi @Nishant_Kumar

you can reach out to a local sales contact and have them create a feature request to have this added to the product, if you like

Is this still an issue?  I would think a better feature request would be for the fw to create the missing directory if a valid user properly authenticates, and the directory is not present. 

hi @fbg123

 

you can reach out to your sales team to submit feature requests

Ciao,

I'm using TACACS and ssh access seems doesn't work. Nonproblem with WebGUI.