Am troubleshooting PA authentication using RADIUS. The user is part of the appropriate AD group for the RADIUS configuration and the PA and RADIUS server are both setup for RADIUS auth.
On the PA side, added an administrator and set their auth profile as the radius profile. When the user tries to login, the PA log shows:
User 'userX' authentication. From: IP
then another message
Authorization failed for user Userx via Web from IP : Invalid role
few more things that could be useful in troubleshooting:
less mp-log authd.log
tail follow yes mp-log authd.log
and if needed, big hammer:
debug authentication connection-show protocol-type <TACACS+|LDAP|Kerberos|RADIUS> connection-id <0-4294967295>
debug authentication connection-debug-on protocol-type <TACACS+|LDAP|Kerberos|RADIUS> connection-id <0-4294967295> debug-prefix <value>
debug authentication connection-debug-off protocol-type <TACACS+|LDAP|Kerberos|RADIUS> connection-id <0-4294967295>
last, but not the least, a few articles...
identify secret key mismatch for radius
Admin roles (in panorama but you can correlate):
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!