01-25-2012 11:25 AM
I ran across a strange issue when provisioning a new Administrator on our team. The background is that we use Cisco ACS 5.1 as our RADIUS authentication for our PA firewalls. All of the correct VSAs are input and appropriate Authorization Policies created for Firewalls and Panorama. We do not use local accounts, and instead rely on ACS to do authorization, which keeps things centralized.
However, I noticed that after I had provisioned this new admin account on ACS the user was not able to successfully authenticate via SSH to the PA firewall. After quite a bit of testing and troubleshooting I ultimately determined that if you do not first authenticate to the firewall via Web UI, you cannot authenticate via SSH. Very odd I thought.
If anyone else can attempt to replicate this issue, please let me know. It's a simple enough work around so nothing critical but I found it curious.
Affected verisons I could test:
01-25-2012 02:23 PM
Thanks for the question..
It would appear that this has been reported before..
We have a bug where "out-of-device" admin accounts require a webUI logon first before the SSH logon works. This is because when you configure admin user on PAN, it also creates a home directory for that user. If you have defined an admin on Radius only, then PAN does not have that user's corresponding home directory. In that case first-time login via SSH fails because there is no home directory. When you first login via webUI it will create that home directory for subsequent SSH logons.
The workaround for this is to configure admins on PAN itself via the Device->Administrators tab for admins that would only have CLI access. At present, this bug has not resolved.
This might be fixed soon in a future release, but we do not know as of yet when that will be.
If you are having issues where locally configured administrators are having to logon via the webUI first, then please call into PAN support for a live troubleshooting session.
07-30-2013 12:14 PM
This issue has come up in 5.0.1, and is resolved in 5.0.5 and 5.1.1.
Ref case 120090
08-05-2013 11:56 AM
Tested in 5.0.6 and it is still an issue.
08-05-2013 12:37 PM
Thanks for the update.. Please allow me to clarify..
on your FW device, you have an admin role as:
Or you need Panorama to push down an admin role also.
08-05-2013 01:36 PM
No such admin role. Admin role is sent via VSA in RADIUS accept message.
07-14-2014 01:43 PM
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!