Authentication Fallback

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Authentication Fallback

Not applicable


So, we currently authenticate administrators to our PA's via Radius (TACACS).  Is there a way to configure the PA's that it will only use the local DB / Administrators if Radius isn't available? 



L5 Sessionator


We do have this functionality. You can goto the Device tab -> Authentication Sequence and hit add to create a new auth sequence.

You will then add your authentication profiles in the order you'd like the authentication attemps to be made.

For your example, you'd first add your Radius authentication profile, then click add again and add your local database authentication profile.


Jason Seals


Sorry to come back to this old post, but I wanted to confirm you reply.


According to the training documentation, PA firewall will check for the user on all the external authentication profiles until it gets a match. It does this using the list of preferred methods, from the most preferred method, to the least preferred method. If it fails to find a match on the external services, it will check the local database.


This does not seem to be what you have explained. The fallback should only be applied if the authen method/served fails to respond. What would be the expected behaviour is, try one external service, if the user is not found, stop the authentication. However, if the radius server is marked as down, then try the next available method.

This would avoid using local users, if the radius/tacacs/ldap servers are responding, increasing the authentication security, but keeping a fallback local in case of emergency.


As far as I can see, this is not currently possible, correct? Did you ever tested this to confirm?


That's what both users in this post are talking about. The initial post was asking how to use the local database if the RADIUS server isn't available. That part of the question entails that the server isn't isn't responding, not that it couldn't auth a user. In that case, jseals answer is 100% correct.

L0 Member

I'm revisiting this subject to see if Palo Alto has implemented any changes to allow us to configure authentication so it uses Radius as the preferred method but only allows authentication against the local database if Radius is not available.  We have tested multiple ways on our Palo firewalls but it always works in performing the sequence even if the Radius server is active. (Allows local users to authenticate if Radius is available but authentication fails.)

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!