Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Add Device Authentication Failure

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Add Device Authentication Failure

L1 Bithead

More of an advice posting than a request for assistance.

 

Do not make your PA firewall admin password really crazy long and complex (like I did ~ at 19 characters long).

If you do, you might get tripped up by Expedition when you try and add a device and the user API keys.

 

Background:

New PA-440 Firewall (FW)

Stood up Expedition VM on Monday the 21st.

 

I kept getting "Invalid Credential" in Expedition when trying to add the API key for admin with my crazy long complex pwd.

I was able to SSH from the Ubuntu Server to the FW using admin with its 19-character long password so was greatly puzzled why Expedition was bombing out. Even opened a case on PA support. Lots of inconclusive results found.

 

After a zoom session a short time ago with my local PA VAR and a SE with PA, I found a clue to a possible solution in the /home/userSpace/devices/debug.txt file: only part of that long booger of a pwd was being transmitted to the FW so of course(!) authentication is going to fail! As an aside, I find it curious that the pwd used is in clear text in the debug.txt file!

 

After changing my FW admin pwd to something that _just_ meets the security requirements (8 long, one cap, 5 lower and 2 bangs), committing, signing out of everything, signing back into Expedition, adding my device and using the shorter admin pwd, the add succeeded and the 3 keys were populated!

5 REPLIES 5

L2 Linker

I'm running into the same issue.  PWD = 9 characters, upper case, lower case, number, special character #

Any recommendations?

@M.Anderson Try to remove the special character and try again, if it's still not working, you can try create a new user account on the firewall and assign the API read permission. 

L2 Linker

I did both.  Added a new user account with API read permissions, as well as removing the special character.  Thank you sir!

 

L0 Member

any resolution to this? I've tried username/password, api login, removal of special characters, etc 

Hi @AnthonyPacheco 

 

Try to execute the external command and later in Expedition create the device and add directly the created API_KEY

 

curl -H "Content-Type: application/x-www-form-urlencoded" -X POST https://firewall/api/?type=keygen -d 'user=<user>&password=<password>'

Reference article: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-panorama-api/pan-os-api-authentication/get-your...

 

Hope this helps,

 

David

 

  • 2238 Views
  • 5 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!