Authentication error after upgrading to 7.0.x

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Authentication error after upgrading to 7.0.x

L4 Transporter



I've one issue after upgrading for one of my client from 6.1.6 to 7.0.7 regarding Radius authentication. Authentication was successful till we upgrade to the new version. After the upgrade we are getting the error “Number of Access Domains and roles doesn't match for the user". Only local admins can log in but not Radius admins.




When I checked the error in community articles I found it related to Panorama as "access domains" only available in Panorama when we are using Radius authentication but they don't have Panorama 🙂


I've read another article when they said after version 7.0 PA is using CHAP then fallback to PAP, then I've changed the used protocol to PAP only using the following:


> set authentication radius-auth-type PAP


But I’m still getting the same error.


Then I checked the authd.log and found the following:


2016-12-27 15:39:03.411 +0400 debug: pan_authd_radius_set_auth_type(pan_authd_radius.c:67): Set PAP (only) request type to ip:port=

2016-12-27 15:39:39.984 +0400 debug: pan_auth_request_process(pan_auth_state_engine.c:1540): Receive request: msg type PAN_AUTH_REQ_REMOTE_INIT_AUTH, conv id 1, body length 2156

2016-12-27 15:39:39.984 +0400 debug: pan_auth_request_process(pan_auth_state_engine.c:1563): Trying to authenticate: <profile: "", vsys: "", username "adm-admin">

2016-12-27 15:39:39.984 +0400 debug: _get_auth_prof_detail(pan_auth_util.c:925): "adm-admin" is an admin user

2016-12-27 15:39:39.984 +0400 debug: _get_admin_authentication_profile_by_name(pan_auth_util.c:505): Got auth prof "Radius" for admin user "adm-admin"

2016-12-27 15:39:39.984 +0400 debug: _get_authseq_profile(pan_auth_util.c:809): Auth profile/vsys (Radius/shared) is NOT auth sequence

2016-12-27 15:39:39.984 +0400 debug: pan_auth_cache_user_is_allowed(pan_auth_cache_allowlist_n_grp.c:260): This is a single vsys platform, group check for allow list is performed on "vsys1"

2016-12-27 15:39:39.984 +0400 debug: pan_auth_cache_user_is_allowed(pan_auth_cache_allowlist_n_grp.c:271): user "adm-admin" is in allow list of auth prof/vsys "Radius/shared"

2016-12-27 15:39:39.984 +0400 debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1068): Authenticating user "adm-admin" with <profile: "Radius", vsys: "shared">

2016-12-27 15:39:39.984 +0400 debug: pan_auth_service_get_svr_ids(pan_auth_service.c:630): find auth server id vector for Radius-shared

2016-12-27 15:39:39.984 +0400 debug: pan_authd_radius_create_req_payload(pan_authd_radius.c:191): username: adm-admin

2016-12-27 15:39:39.984 +0400 debug: pan_make_radius_request_buf(pan_authd_radius_prot.c:412): RADIUS request type: PAP

2016-12-27 15:39:39.985 +0400 debug: pan_make_radius_request_buf(pan_authd_radius_prot.c:444): framed-ip-address is zero. Skip it.

2016-12-27 15:39:40.169 +0400 debug: pan_authd_radius_parse_resp_payload(pan_authd_radius.c:241): resp_code = RAD_ACCESS_ACCEPT

2016-12-27 15:39:40.169 +0400 debug: pan_authd_radius_parse_resp_payload(pan_authd_radius.c:262): access domain = superuser

2016-12-27 15:39:40.169 +0400 debug: pan_auth_service_recv_response(pan_auth_service_handle.c:1185): Got response for user: "adm-admin"

2016-12-27 15:39:40.169 +0400 debug: pan_auth_response_process(pan_auth_state_engine.c:2337): auth status: auth success

2016-12-27 15:39:40.169 +0400 debug: pan_auth_response_process(pan_auth_state_engine.c:2355): username: adm-admin, username_only: adm-admin

2016-12-27 15:39:40.169 +0400 debug: pan_auth_response_process(pan_auth_state_engine.c:2391): local admin acct for remote user 'adm-admin' exists

2016-12-27 15:39:40.169 +0400 debug: pan_auth_response_process(pan_auth_state_engine.c:2397): Authentication success: <profile: "Radius", vsys: "shared", username "adm-admin">

2016-12-27 15:39:40.169 +0400 debug: pan_auth_send_auth_resp(pan_auth_server.c:321): Succeed to cache role/adomain /superuser for user adm-admin

2016-12-27 15:39:40.169 +0400 authenticated for user 'adm-admin'.   auth profile 'Radius', vsys 'shared', server profile 'Cisco-ACS-SERVER', server address '', From:

2016-12-27 15:39:40.169 +0400 debug: _log_auth_respone(pan_auth_server.c:240): Sent SUCCESS auth response for user 'adm-admin' (exp_in_days=-1 (-1 never; 0 within a day))

2016-12-27 15:39:41.251 +0400 debug: pan_auth_request_process(pan_auth_state_engine.c:1540): Receive request: msg type PAN_AUTH_REQ_GROUP, conv id 41, body length 32

2016-12-27 15:39:41.251 +0400 debug: pan_db_funcs_request_process(pan_auth_state_engine.c:906): init'ing group request (authorization)

2016-12-27 15:39:41.251 +0400 debug: pan_authd_handle_group_req(pan_auth_state_engine.c:745): start to authorize user "adm-admin"

2016-12-27 15:39:41.251 +0400 debug: pan_auth_mgr_get_userinfo(pan_auth_mgr.c:1014): Found userinfo (name/role/ado) cache entry: adm-admin//superuser

2016-12-27 15:39:41.251 +0400 debug: pan_authd_handle_group_req(pan_auth_state_engine.c:856): Sent authorization response for user "adm-admin": role/domain="/superuser"; expiring_in_days=-1; rem_grace_period=-1, rem_login_count=-1


Authentication is successful as the logs said but it’s not completing the authorization for some reason.


Anyone have any idea about this issue?






Accepted Solutions

Tried to play with user modifier and domain but its not working also.


Now the case is escalated to TAC Support and they couldn't find a proper root cause and pushing me to use TACACS+.





View solution in original post


Cyber Elite
Cyber Elite


I'm sure you have done this by now, but you may want to contact support. I dont recall having issues when I upgraded and had radius auth.



Hi Otakar,


Yup. Already contacted Support, they are analyzing this at the moment.





L4 Transporter

Looks like the radius server is sending radius attribute #4 (for access domains) instead of number #3 (for predefined roles). According to your logs the role is blank but the access domain (ADO) is "superuser" (predefined role)



access domain = superuser
Found userinfo (name/role/ado) cache entry: adm-admin//superuser
Sent authorization response for user "adm-admin": role/domain="/superuser"

  • PaloAlto-Panorama-Admin-Role: Attribute #3 - This can either be a default admin role name or a custom admin role name on Panorama.
  • PaloAlto-Panorama-Admin-Access-Domain: Attribute #4 - This is the name of an Access Domain configured on Panorama as created under Panorama > Access Domains.

If you want to configure admins with access domains you can follow the next guide,


You can place a packet capture to analyze the radius responses at the top of my head they should be on clear text,


Hi glastra1,


Actually it shouldn't send any attributes with #3 or #4 cause we are not using Panorama.

Also the Radius server was working just fine before upgrading to 7.0.7




Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!