Authentication Fallback

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Authentication Fallback

Not applicable


So, we currently authenticate administrators to our PA's via Radius (TACACS).  Is there a way to configure the PA's that it will only use the local DB / Administrators if Radius isn't available? 



L5 Sessionator


We do have this functionality. You can goto the Device tab -> Authentication Sequence and hit add to create a new auth sequence.

You will then add your authentication profiles in the order you'd like the authentication attemps to be made.

For your example, you'd first add your Radius authentication profile, then click add again and add your local database authentication profile.


Jason Seals


Sorry to come back to this old post, but I wanted to confirm you reply.


According to the training documentation, PA firewall will check for the user on all the external authentication profiles until it gets a match. It does this using the list of preferred methods, from the most preferred method, to the least preferred method. If it fails to find a match on the external services, it will check the local database.


This does not seem to be what you have explained. The fallback should only be applied if the authen method/served fails to respond. What would be the expected behaviour is, try one external service, if the user is not found, stop the authentication. However, if the radius server is marked as down, then try the next available method.

This would avoid using local users, if the radius/tacacs/ldap servers are responding, increasing the authentication security, but keeping a fallback local in case of emergency.


As far as I can see, this is not currently possible, correct? Did you ever tested this to confirm?


That's what both users in this post are talking about. The initial post was asking how to use the local database if the RADIUS server isn't available. That part of the question entails that the server isn't isn't responding, not that it couldn't auth a user. In that case, jseals answer is 100% correct.

L0 Member

I'm revisiting this subject to see if Palo Alto has implemented any changes to allow us to configure authentication so it uses Radius as the preferred method but only allows authentication against the local database if Radius is not available.  We have tested multiple ways on our Palo firewalls but it always works in performing the sequence even if the Radius server is active. (Allows local users to authenticate if Radius is available but authentication fails.)

L0 Member

I'm curious if anyone have come up with a solution to this as we have the same requirement.


I'm also thinking, if we create the same credentials on our radius as with the local db but the radius profile has less priviledge (almost no priviledges). Then if the auth sequence is radius1 & radius2 (for redundancy), then as long as both radius are available, then said local db credentials (superadmin) won't be used correct? Correct me if I'm understanding it wrong.

FYI the docs may be wrong on this one, and the solution may work the way that @jseals  mentioned.  We authenticate VPN users against radius, and only if the radius servers are down should the local user database be used as a fallback.  In the Portal -> Authentication config, if the Radius auth is ordered first and the servers are responding, then the local user database is never checked.  Similarly, if the Local Database is ordered first, then auth will check the local database, and Radius is never checked (so putting anything after Local Database seems useless).  So we placed Radius first and Local Database second.

Not exactly the scenario that was mentioned above in the post, just a data point.

L3 Networker

what is the normal behaviour of PA firewalls in this, suppose i have local users and Radius users, when my Radius server is active and authenticating, will i be able to login via local user ?



Doyen admin

i know this is an old post, but did you ever get a solution / response to this?  i am looking at doing the same, Juniper devices allow for this setup, i.e. RAIDUS REJECT = REJECT, RADIUS FAIL = Try local, but cant find any documentation or guidance on how Palo's work ?





L3 Networker

I have tried 2-3 scenarios,


If you have Local users configured along with Radius integrated users, both will work.

eg: user1 in radius server and user1 in local DB has different DB, and it wont work with fails scenario when used with authentication sequence.


When radius fails it will work with Local DB but if Radius is available, it will login with both.


If you have administrators configured it will not work with authentication sequence, referred the doc of PA and tried as well.


Only working (radius-fails, ldap-accept) scenario i have seen is, while authentication sequence used for authenticating Global protect users.


thanks for coming back to me, shame it works this way as it does not really address our need. 



  • 10 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!