This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Authentication error after upgrading to 7.0.x

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Authentication error after upgrading to 7.0.x

Go to solution
MohamedSharief
L4 Transporter

‎12-30-2016 02:48 PM

Hi,

 

I've one issue after upgrading for one of my client from 6.1.6 to 7.0.7 regarding Radius authentication. Authentication was successful till we upgrade to the new version. After the upgrade we are getting the error “Number of Access Domains and roles doesn't match for the user". Only local admins can log in but not Radius admins.

 

clienterror.png

 

When I checked the error in community articles I found it related to Panorama as "access domains" only available in Panorama when we are using Radius authentication but they don't have Panorama 🙂

 

I've read another article when they said after version 7.0 PA is using CHAP then fallback to PAP, then I've changed the used protocol to PAP only using the following:

 

> set authentication radius-auth-type PAP

 

But I’m still getting the same error.

 

Then I checked the authd.log and found the following:

 

2016-12-27 15:39:03.411 +0400 debug: pan_authd_radius_set_auth_type(pan_authd_radius.c:67): Set PAP (only) request type to ip:port=10.110.255.122:1812

2016-12-27 15:39:39.984 +0400 debug: pan_auth_request_process(pan_auth_state_engine.c:1540): Receive request: msg type PAN_AUTH_REQ_REMOTE_INIT_AUTH, conv id 1, body length 2156

2016-12-27 15:39:39.984 +0400 debug: pan_auth_request_process(pan_auth_state_engine.c:1563): Trying to authenticate: <profile: "", vsys: "", username "adm-admin">

2016-12-27 15:39:39.984 +0400 debug: _get_auth_prof_detail(pan_auth_util.c:925): "adm-admin" is an admin user

2016-12-27 15:39:39.984 +0400 debug: _get_admin_authentication_profile_by_name(pan_auth_util.c:505): Got auth prof "Radius" for admin user "adm-admin"

2016-12-27 15:39:39.984 +0400 debug: _get_authseq_profile(pan_auth_util.c:809): Auth profile/vsys (Radius/shared) is NOT auth sequence

2016-12-27 15:39:39.984 +0400 debug: pan_auth_cache_user_is_allowed(pan_auth_cache_allowlist_n_grp.c:260): This is a single vsys platform, group check for allow list is performed on "vsys1"

2016-12-27 15:39:39.984 +0400 debug: pan_auth_cache_user_is_allowed(pan_auth_cache_allowlist_n_grp.c:271): user "adm-admin" is in allow list of auth prof/vsys "Radius/shared"

2016-12-27 15:39:39.984 +0400 debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1068): Authenticating user "adm-admin" with <profile: "Radius", vsys: "shared">

2016-12-27 15:39:39.984 +0400 debug: pan_auth_service_get_svr_ids(pan_auth_service.c:630): find auth server id vector for Radius-shared

2016-12-27 15:39:39.984 +0400 debug: pan_authd_radius_create_req_payload(pan_authd_radius.c:191): username: adm-admin

2016-12-27 15:39:39.984 +0400 debug: pan_make_radius_request_buf(pan_authd_radius_prot.c:412): RADIUS request type: PAP

2016-12-27 15:39:39.985 +0400 debug: pan_make_radius_request_buf(pan_authd_radius_prot.c:444): framed-ip-address is zero. Skip it.

2016-12-27 15:39:40.169 +0400 debug: pan_authd_radius_parse_resp_payload(pan_authd_radius.c:241): resp_code = RAD_ACCESS_ACCEPT

2016-12-27 15:39:40.169 +0400 debug: pan_authd_radius_parse_resp_payload(pan_authd_radius.c:262): access domain = superuser

2016-12-27 15:39:40.169 +0400 debug: pan_auth_service_recv_response(pan_auth_service_handle.c:1185): Got response for user: "adm-admin"

2016-12-27 15:39:40.169 +0400 debug: pan_auth_response_process(pan_auth_state_engine.c:2337): auth status: auth success

2016-12-27 15:39:40.169 +0400 debug: pan_auth_response_process(pan_auth_state_engine.c:2355): username: adm-admin, username_only: adm-admin

2016-12-27 15:39:40.169 +0400 debug: pan_auth_response_process(pan_auth_state_engine.c:2391): local admin acct for remote user 'adm-admin' exists

2016-12-27 15:39:40.169 +0400 debug: pan_auth_response_process(pan_auth_state_engine.c:2397): Authentication success: <profile: "Radius", vsys: "shared", username "adm-admin">

2016-12-27 15:39:40.169 +0400 debug: pan_auth_send_auth_resp(pan_auth_server.c:321): Succeed to cache role/adomain /superuser for user adm-admin

2016-12-27 15:39:40.169 +0400 authenticated for user 'adm-admin'.   auth profile 'Radius', vsys 'shared', server profile 'Cisco-ACS-SERVER', server address '10.110.255.121', From: 10.1.132.161.

2016-12-27 15:39:40.169 +0400 debug: _log_auth_respone(pan_auth_server.c:240): Sent SUCCESS auth response for user 'adm-admin' (exp_in_days=-1 (-1 never; 0 within a day))

2016-12-27 15:39:41.251 +0400 debug: pan_auth_request_process(pan_auth_state_engine.c:1540): Receive request: msg type PAN_AUTH_REQ_GROUP, conv id 41, body length 32

2016-12-27 15:39:41.251 +0400 debug: pan_db_funcs_request_process(pan_auth_state_engine.c:906): init'ing group request (authorization)

2016-12-27 15:39:41.251 +0400 debug: pan_authd_handle_group_req(pan_auth_state_engine.c:745): start to authorize user "adm-admin"

2016-12-27 15:39:41.251 +0400 debug: pan_auth_mgr_get_userinfo(pan_auth_mgr.c:1014): Found userinfo (name/role/ado) cache entry: adm-admin//superuser

2016-12-27 15:39:41.251 +0400 debug: pan_authd_handle_group_req(pan_auth_state_engine.c:856): Sent authorization response for user "adm-admin": role/domain="/superuser"; expiring_in_days=-1; rem_grace_period=-1, rem_login_count=-1

 

Authentication is successful as the logs said but it’s not completing the authorization for some reason.

 

Anyone have any idea about this issue?

 

Regards,

Sharief

 

Regards,
Sharief
1 person had this problem.
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
MohamedSharief
L4 Transporter
In response to MohamedSharief

‎01-18-2017 01:27 AM

Tried to play with user modifier and domain but its not working also.

 

Now the case is escalated to TAC Support and they couldn't find a proper root cause and pushing me to use TACACS+.

 

Regards,

Sharief

Regards,
Sharief

View solution in original post

0 Likes Likes
9 REPLIES 9

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite

‎01-03-2017 02:57 PM

Hello,

I'm sure you have done this by now, but you may want to contact support. I dont recall having issues when I upgraded and had radius auth.

 

Regards,

0 Likes Likes

Go to solution
MohamedSharief
L4 Transporter
In response to OtakarKlier

‎01-04-2017 01:45 AM

Hi Otakar,

 

Yup. Already contacted Support, they are analyzing this at the moment.

 

Regards,

Sharief

Regards,
Sharief
0 Likes Likes

Go to solution
glastra1
L4 Transporter

‎01-04-2017 10:55 AM

Looks like the radius server is sending radius attribute #4 (for access domains) instead of number #3 (for predefined roles). According to your logs the role is blank but the access domain (ADO) is "superuser" (predefined role)

 

 

access domain = superuser
Found userinfo (name/role/ado) cache entry: adm-admin//superuser
Sent authorization response for user "adm-admin": role/domain="/superuser"

 

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/RADIUS-Vendor-Specific-Attributes-VSA/ta...

  • PaloAlto-Panorama-Admin-Role: Attribute #3 - This can either be a default admin role name or a custom admin role name on Panorama.
  • PaloAlto-Panorama-Admin-Access-Domain: Attribute #4 - This is the name of an Access Domain configured on Panorama as created under Panorama > Access Domains.

If you want to configure admins with access domains you can follow the next guide,

https://live.paloaltonetworks.com/t5/Management-Articles/Separate-Panorama-Admins-Access-Domains-usi...

 

You can place a packet capture to analyze the radius responses at the top of my head they should be on clear text,

https://live.paloaltonetworks.com/t5/Management-Articles/How-To-Packet-Capture-tcpdump-On-Management...

https://live.paloaltonetworks.com/t5/Management-Articles/Tcpdump-Packet-Capture-Truncated/ta-p/63047

 

0 Likes Likes

Go to solution
MohamedSharief
L4 Transporter
In response to glastra1

‎01-05-2017 12:19 AM

Hi glastra1,

 

Actually it shouldn't send any attributes with #3 or #4 cause we are not using Panorama.

Also the Radius server was working just fine before upgrading to 7.0.7

 

Regards,

Sharief

Regards,
Sharief
0 Likes Likes

Go to solution
glastra1
L4 Transporter
In response to MohamedSharief

‎01-05-2017 05:34 AM

It could also be sending attribute number 2, anyway make sure is sending the right attribute depending on your needs and run packet captures just to double check. 

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/RADIUS-Vendor-Specific-Attributes-VSA/ta...

There are 5 attributes:

  • PaloAlto-Admin-Role: Attribute #1 - This can either be a default admin role name or a custom admin role name.
  • PaloAlto-Admin-Access-Domain: Attribute #2 - This is used when a Palo Alto Networks device has multiple vsys.  This is the name of an Access Domain as created under Device > Access Domains.
  • PaloAlto-User-Group: Attribute #5 - This is the name of a group to be used in an Authentication Profile.

regards,

Gerardo.

0 Likes Likes

Go to solution
RFalconer
L3 Networker

‎01-05-2017 10:43 AM

In your Authentication Profile, what are the values for 'User Domain' and 'Username Modifier'?

 

I do remember having an issue going from 6.1 to 7.0 and I'm also using radius with Cisco ACS. I think I might have changed the value in one of these fields.

0 Likes Likes

Go to solution
MohamedSharief
L4 Transporter
In response to RFalconer

‎01-09-2017 04:06 AM

Hey RFalconer,

 

You mean the username and domain in the authentication profile of radius as I understand.

 

Good idea, let me try to change this.

 

Regards,

Sharief

Regards,
Sharief
0 Likes Likes

Go to solution
MohamedSharief
L4 Transporter
In response to MohamedSharief

‎01-18-2017 01:27 AM

Tried to play with user modifier and domain but its not working also.

 

Now the case is escalated to TAC Support and they couldn't find a proper root cause and pushing me to use TACACS+.

 

Regards,

Sharief

Regards,
Sharief
0 Likes Likes

Go to solution
Sachin.Kusuma
L0 Member
In response to MohamedSharief

‎10-12-2020 03:10 PM

I had same error. Try deleting the radius setting and re-add again. Do the same on RADIUS too. 

Not sure which device is creating this issue. But we had same issue on couple devices and it worked both times. 

0 Likes Likes
  • 1 accepted solution
  • 7129 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks