This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

cli access with email usernames

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

cli access with email usernames

samisu
L1 Bithead

‎01-10-2022 11:21 AM - edited ‎01-10-2022 11:27 AM

Has anyone been able to authenticate to the CLI using a username such as username@domain.com over SSH using TACACS+ as authentication. Authenticating using the WebUI works fine, but when you try to SSH using ssh username@domain.com@ipaddress it just sends you back to the username screen. ( user is a superadmin role)

0 Likes Likes
4 REPLIES 4

aleksandar.astardzhiev
Cyber Elite
Cyber Elite

‎01-11-2022 03:19 AM

Hi @samisu,

- What do you mean by "back to username screen"? Do you mean password prompt"

- I was thinking that two "@" could confuse the ssh command and it is not able to identify which part is username and which hostname, but I just test it and it seems it shouldn't be a problem. However just for the test, try to connect with "ssh -l username@domain.com ipaddress"

- What firewall system logs are showing when you try to login with ssh? Does it show the whole username "username@domain.com"?

 

On other hand - do you really need for the user to enter domain when accessing firewall management? If your TACACS is expecting username in the form of "username@domain.com", you can create Authentication Profile that will append the domain to the user input

Astardzhiev_1-1641899966961.png

 

 

0 Likes Likes

BPry
Cyber Elite
Cyber Elite

‎01-11-2022 07:26 AM

@samisu,

This should work just based off of a quick test that I did as long as they SSH client being utilized isn't escaping anything. When you look at the logs (System -> (subtype eq auth)) do you see the proper user being submitted? 

0 Likes Likes

samisu
L1 Bithead
In response to aleksandar.astardzhiev

‎01-11-2022 08:47 AM

@aleksandar.astardzhiev so I just test what you suggest with the ssh -l its the something. I can to screen prompting me to enter the password as soon as I enter the password the screen goes back to username@domain.com@ipaddress password:  and if I enter the password again I get a connection closed by ip address port 22. I think think the problem here is how its setup on the TACACS side.

As for the need, there are multiple domains and we have admins on different domains.

 
0 Likes Likes

samisu
L1 Bithead
In response to BPry

‎01-11-2022 08:49 AM

there is no logs in the PAN device showing any successful authentication. The logs from the TACACS server show it authenticated successfully. This points me to what I was thinking before. There is some type of miss configuration on the TACACS side. Thank you!

0 Likes Likes
  • 2009 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks