User 'user' failed authentication. Reason: Authentication profile not found for the user.
When setting up an administrator I get the above error message.
The authentication profile has the user on the allow list and is also applied to a new member of the administrators group.
Made a local DB user.
Created new authentication profile:
Gave Profile name: Device
Placed new localDB user into 'Allow list'
Changed Failed attempts to 4
Changed Lockout Time to 1
Authentication: Local DB
Under Device > Administrators
Authentication Profile: Device
Role: Dynamic: Superuser
When I attempt to log back in I get an error message that the user/password is incorrect. Then when I log back as admin I can see the above error. Thank you in advance for any help.
If all you want to do is create a local user name and password for the purpose of logging into the paloalto you are makingthis more complicated than necessary. Open the "Administrators" section of the "Device" tab. Create a user name and a password. Do not select any Auth profile. You would use an auth profile if you wanted the firewall to query a RADIUS or LDAP server for ID verification. You might get your original attempt to work if you go to the "Local User Database" section and create the user and password there. Then create an Auth Profile and add the user to the profile. Then you can go to Administrators and point to the Auth profile you just created.
The reason for the effort is to have admin users using the same password they use for the SSL-VPN as they do for logging into the equipment. No reason to have another 3 passwords for one new piece of equipment. Also I have attempted to do the administrators and add the auth profile for the local DB with the selected users in the specified auth profile.
If you are trying to sync all three Authentication section to the same User ID/PW (Admin, SSLVPN, Capture Portal) plus the User-ID Agent for the Policy then you will need to use a external database like Active Directory.
So here are the steps if using the PAN-Agent.
#1 - Install / Configure the PAN-Agent - This will give you the ability to select user and group in this format: DOMAIN\USER.
#2 - Configure a LDAP Profile - Make sure you fill in the "Domain" section to match the "DOMAIN" -- this will only work if you have only a simple single domain structure.
#3 - Create a Authentication Profile for Admins - Select the users which will be allowed to log into the PA
#4 - Create a Authentication Profile for SSL VPN - Select the users / groups which can log into the SSL VPN
#5 - Create a Authentication Profile for Capture Portal - I find it easy to choise "All" for users
#6 - Creat a Administrator which matches the Domain Account so you can assign a Admin role it that user
#7 - Edit Device / Setup and add the Authentication Profile for Administrators
#8 - Create a SSL VPN and policy
#9 - Create a Portal Capture Rule
#10 - Commit and test.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!