Troubleshooting RADIUS Authentication
Resolution
Confirm that group membership is correct:
- Monitor tab > Logs > System
- Look for “user is not in allow list”.
This means the user is not in the group selected in the Authentication Profile.
From the CLI run the command:
> show user pan-agent user-IDs
Search for the user name by typing “/” then the username to verify with which groups the Palo Alto Networks device is associating the user.
If the above error doesn't apply, the issue is likely with the RADIUS server.
Some common server issues include:
- The wrong IP address is entered in the RADIUS server configuration.
- The shared secret is mis-typed. Do not paste the password into the Secret field.
- The wrong IP address is entered in the RADIUS server client configuration.
- The Radius server policy may be invalid due to:
- Wrong Windows group
- NAS-IP address
- PAP
Events can be viewed on the RADIUS server in the event viewer > system logs > IAS
Windows 2008 Event Viewer – System logs, IAS
If the wrong IP is used in the Radius server configuration on the PAN, the following in the System Log on the firewall will be seen:
Use the following CLI command to verify the “authd.log”
> less mp-log authd.log
If the shared secret is incorrect the same error message will be in the Authd logs. An error similar to the following will be visible in the RADIUS server 2003 Event Viewer:
If the wrong IP address is used in the Client configuration on the Radius server, the following error messages will be in the windows event viewer.
The firewall will display the previous system log entry in the event of an invalid policy on the RADIUS server, but the Authd.log will be different:
If the wrong windows group, wrong NAS-IP address or if PAP authentication is not set up, the Event Viewer on the RADIUS server will display the following errors.
Successful Radius Authentication
> Monitor tab > Logs > System
> less mp-log authd.log
owner: bnitz