09-10-2021 10:45 AM
Issue: Authentication failure when using AD Account
Log: Authentication Timeout to server
PanOS Version: 10.1.1
Panorama is not used
NPS Installed on Windows Server 2016
Radius Server Profile Created
Authentication Profile Created
Admin Role Created
Linked in Setup
NPS Client and Policy Created( 25461 - uses created admin role, uses PAP)
Tested Policies on dev and worked
The Authentication setting has second gear that sates "Stack Override:" not present in dev.
Is it Possible that the override is changing my settings and pointing to a local login instead?
09-10-2021 02:40 PM
I am running 10.1.1 and I too have the same orange "override" gear, so that is part of the operating system for 10.1.1
If you have your auth profile to Radius, then should be working.
CLI into the firewall and issue:
tail follow yes mp-log authd.log (confirm my synatax..) and watch as your user attempts to authenticate.
just keep in mind that the FW is not failing your authentication... your Radius server is... and the FW merely acts a the messenger to say "invalid username or password" or similar.
As a test, try to create a local users (not admin account user) but under Device ==> Local Users. And create an auth profile, pointed back to that local user. If auth works locally (where the FW is the authentication server), but fails when you change to LDAP or Radius, this will confirm/illustrate that either your auth profile is incorrect (IP, shared secret, service account name, port name, etc.)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!