10-19-2012 08:36 PM
10-19-2012 08:41 PM
I'm running 4.1.8-1 and attempted login via ssh as 'admin' and 'root' and received syslog for both failed attemps as shown below.
2012/10/19 20:37:54info general auth-fa 0 User 'admin' failed authentication. Reason: Invalid username/password From: 172.16.20
.24.
2012/10/19 20:37:51info general general 0 User root
failed authentication from 172.16.20.24
10-20-2012 05:59 AM
Are you using external authentication profile? In my testing, I am only using the local database. I am not using any external authentication profile.
10-20-2012 10:08 AM
No auth profile. I'm using the built in administrator 'admin' account in addition to the others listed below.
admin@renato(active)> show admins all
admin
panorama
oliver
As you can see, the following is a list of my local users not utilized for administrative logon accounts. Maybe we could take a closer look at your system to see the anomaly first hand?
admin@renato(active)# show shared local-user-database user
homeadmin homeadmin
renato renato
ryan ryan
login as: root
Using keyboard-interactive authentication.
Password:
Access denied
Using keyboard-interactive authentication.
Password:
Access denied
Using keyboard-interactive authentication.
Password:
login as: oliver
Using keyboard-interactive authentication.
Password:
Access denied
Using keyboard-interactive authentication.
Password:
login as: panorama
Using keyboard-interactive authentication.
Password:
Access denied
Using keyboard-interactive authentication.
Password:
Time Severity Subtype Object EventID ID Description
===============================================================================
2012/10/20 09:59:08info general general 0 User root
failed authentication from 172.16.20.24
2012/10/20 09:58:38info general general 0 User root
failed authentication from 172.16.20.24
2012/10/20 09:58:08info general general 0 User panorama
failed authentication from
2012/10/20 09:58:00info general auth-fa 0 User 'panorama' failed authentication. Reason: Invalid username/password From: 172.16
.20.24.
2012/10/20 09:57:55info userid connect 0 ldap cfg pa200 connected to server 172.16.20.7:389, initiated by: 172.16.20.254
2012/10/20 09:57:38info general general 0 User oliver
failed authentication from
2012/10/20 09:57:19info general auth-fa 0 User 'oliver' failed authentication. Reason: Invalid username/password From: 172.16.2
0.24.
10-20-2012 01:16 PM
ernest@PA-200> show admins all
panorama
ernest
ernest@PA-200>
ernest@PA-200> show config running
config {
mgt-config {
users {
ernest {
permissions {
role-based {
superuser yes;
}
}
authentication-profile admin-local-ap;
}
}
}
authentication-profile {
admin-local-ap {
method {
local-database;
}
allow-list all;
lockout {
lockout-time 5;
failed-attempts 3;
}
}
}
PA-200 login: root
Password:
Login incorrect
login: root
Password:
Login incorrect
login: root
Password:
Login incorrect
login: root
Password:
ernest@PA-200> show log system direction equal backward
Time Severity Subtype Object EventID ID Description
===============================================================================
2012/10/20 13:04:06 info general general 0 User ernest logged in via CLI from
2012/10/20 13:04:05 info general auth-su 0 User 'ernest' authenticated. From: (null).
2012/10/20 13:03:06 info general general 0 User ernest logged out via CLI from Console
2012/10/20 13:01:02 info general general 0 User ernest logged in via CLI from
2012/10/20 13:01:01 info general auth-su 0 User 'ernest' authenticated. From: (null).
no log of root at all..
10-20-2012 04:10 PM
No auth profile associated with this admin user so to mimic your config, I added the local user 'renato' as an administrator and using the localdb as my auth profile for said user. I still see syslogs for the 'root' user. Only difference I see with our config is that the 'admin' user is configured on my unit whereas it's not on yours.
renato@renato(active)> show admins all
admin
panorama
oliver
renato
config {
mgt-config {
users {
admin {
permissions {
role-based {
superuser yes;
}
}
renato {
permissions {
role-based {
superuser yes;
}
}
authentication-profile LocalDB;
}
}
}
2012/10/20 16:05:45info general general 0 Accepted keyboard-interactive/pam for renato from 172.16.20.24 port 6960 ssh2
2012/10/20 16:05:39info general auth-fa 0 User 'renato' failed authentication. Reason: Invalid username/password From: 172.16.20.24.
2012/10/20 16:05:27info general general 0 User renato logged in via CLI from 172.16.20.24
2012/10/20 16:05:26info general auth-su 0 User 'renato' authenticated. From: 172.16.20.24.
2012/10/20 16:05:15info general general 0 User root
failed authentication from 172.16.20.24
10-21-2012 03:28 PM
Hmm, not sure what to say, but I tested with 4.1.7 and 5.0.0 beta.
10-21-2012 05:22 PM
Call into PAN Support so we can turn on some debugging features. If indeed a bug, we'll file one accordingly and investigate further.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
