08-27-2015 12:00 PM
Greetings!
Am troubleshooting PA authentication using RADIUS. The user is part of the appropriate AD group for the RADIUS configuration and the PA and RADIUS server are both setup for RADIUS auth.
On the PA side, added an administrator and set their auth profile as the radius profile. When the user tries to login, the PA log shows:
User 'userX' authentication. From: IP
then another message
Authorization failed for user Userx via Web from IP : Invalid role
08-27-2015 12:17 PM
While I cannot remember the exact error we were seeing, however our usernames had a special character in the begining and the PAN did not like that at all.
Not sure if that is the case here.
08-27-2015 02:01 PM - edited 08-27-2015 02:02 PM
Hello,
when you added that new admin, can you check if you selected his/hers role as "dynamic" or "role based"? Could it be that you are missing role setup? Change that to dynamic just for test?
Regards
Luciano
08-27-2015 02:15 PM
Thank you for your reply. It's set to Dynamic - Superuser.
08-27-2015 02:18 PM
OK, next, did you check the box on your RADIUS profile "Administrator use only" (just underneath the profile name itself)?
08-27-2015 02:20 PM
and if you did, did you also try to uncheck it 😄
08-27-2015 02:55 PM
Hi,
few more things that could be useful in troubleshooting:
less mp-log authd.log
tail follow yes mp-log authd.log
and if needed, big hammer:
debug authentication connection-show protocol-type <TACACS+|LDAP|Kerberos|RADIUS> connection-id <0-4294967295>
debug authentication connection-debug-on protocol-type <TACACS+|LDAP|Kerberos|RADIUS> connection-id <0-4294967295> debug-prefix <value>
debug authentication connection-debug-off protocol-type <TACACS+|LDAP|Kerberos|RADIUS> connection-id <0-4294967295>
last, but not the least, a few articles...
troubleshooting radius
https://live.paloaltonetworks.com/t5/Articles/Troubleshooting-RADIUS-Authentication/ta-p/59200
identify secret key mismatch for radius
Admin roles (in panorama but you can correlate):
Regards
Luciano
03-20-2023 08:02 AM
I am facing the exact same issue. Did you happen to resolve this? If so, could you please let me know the fix.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
