Invalid Role - RADIUS

cancel
Showing results for 
Search instead for 
Did you mean: 

Invalid Role - RADIUS

L4 Transporter

Greetings!

 

Am troubleshooting PA authentication using RADIUS. The user is part of the appropriate AD group for the RADIUS configuration and the PA and RADIUS server are both setup for RADIUS auth.

 

On the PA side, added an administrator and set their auth profile as the radius profile. When the user tries to login, the PA log shows:

 

User 'userX' authentication. From: IP

 

then another message

 

Authorization failed for user Userx via Web from IP : Invalid role

6 REPLIES 6

Cyber Elite
Cyber Elite

While I cannot remember the exact error we were seeing, however our usernames had a special character in the begining and the PAN did not like that at all.

 

Not sure if that is the case here.

L5 Sessionator

Hello,

 

when you added that new admin, can you check if you selected his/hers role as "dynamic" or "role based"? Could it be that you are missing role setup? Change that to dynamic just for test?

 

Regards

 

Luciano

Thank you for your reply. It's set to Dynamic - Superuser. 

OK, next, did you check the box on your RADIUS profile "Administrator use only" (just underneath the profile name itself)?

and if you did, did you also try to uncheck it 😄

Hi,

 

few more things that could be useful in troubleshooting:

less mp-log authd.log

tail follow yes mp-log authd.log

 

and if needed, big hammer:

debug authentication connection-show protocol-type <TACACS+|LDAP|Kerberos|RADIUS> connection-id <0-4294967295>
debug authentication connection-debug-on protocol-type <TACACS+|LDAP|Kerberos|RADIUS> connection-id <0-4294967295> debug-prefix <value>
debug authentication connection-debug-off protocol-type <TACACS+|LDAP|Kerberos|RADIUS> connection-id <0-4294967295>

 

last, but not the least, a few articles...

 

troubleshooting radius

https://live.paloaltonetworks.com/t5/Articles/Troubleshooting-RADIUS-Authentication/ta-p/59200

 

identify secret key mismatch for radius

https://live.paloaltonetworks.com/t5/Articles/How-to-Identify-Secret-Key-Mismatch-Between-Palo-Alto-...

 

Admin roles (in panorama but you can correlate):

https://live.paloaltonetworks.com/t5/Articles/Separate-Panorama-Admins-Access-Domains-using-RADIUS/t...

 

Regards

 

Luciano

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!