SSH to Management interface (RADIUS Auth) PAN OS 10.0.4

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

SSH to Management interface (RADIUS Auth) PAN OS 10.0.4

L1 Bithead

Working on an HA Pair of PA-820 firewalls and just finished configuring auth for management interfaces. Went to test, and found that the firewall said auth succeeds, but the SSH connection immediately drops.

 

Config:

  • Auth profile is RADIUS (Windows NPS server)
  • PAN OS 10.0.4

Tests:

  • Authentication to web interface works for user via RADIUS profile
  • Authentication to SSH interface says authenticated in the system log, but the SSH connection immediately drops
    • Tried connection via SSH client on a Mac, Putty, and Windows SSH client. All yield the same results.
    • debug log for SSH client shows nothing
  • Authentication to SSH via local user accounts on the firewall have no issue

 

Anyone seen this before? Possible bug?

2 REPLIES 2

L1 Bithead

I also noted the following:

 

Due to a SAML authentication need, we have the default username set to UPN so that group memberships are seen accurately. When I specify the Username modifier for the RADIUS profile to be %USERINPUT%@%USERDOMAIN%  the allow list check begins failing for the auth profile. Wouldn't it stand to reason the Username modifier should be applied before the group check is performed? Wouldn't it also make sense to honor the alternate username defined in the group mapping settings?

 

I can get the SSH connection to work by setting the auth profile to allow all, and updating the Username modifier as per the above. This makes me think it doesn't like the format of %USERNAME%@%DOMAIN%@%FW-ADDRESS%. I know SSH can do this format because I've used it in other implementations. The question becomes, how to get the group mappings for SAML and RADIUS to both play nicely on the same domain without querying the groups twice..... for now I have 2 group mapping settings defined, one for SAML and one for RADIUS with the different groups in each.

 

Opened a ticket and will report back if I find anything else out.

L1 Bithead

I've got a config that is where I want it to be, and works, but seems to indicate there are 2 (possibly related) bugs. Here is the config in a nutshell:

 

Management Auth

  • RADIUS Auth Profile with the username modifier set to %USERDOMAIN%\%USERINPUT%
  • Allow List in Auth Profile set to Admin Group
  • Group Mapping Profile (pulling from LDAP) set with Primary Username to be sAMAccountName

This setup allows me to leave the SAML config alone and login successfully to both SSH and WEBUI.

 

Potential Bugs: When primary username is set to UserPrincipalName in Group Mappings

  • When Username modifier is set to %USERINPUT%@%USERDOMAIN% the %USERDOMAIN% is not being applied during user mapping check
  • When user enters fully qualified identity for SSH login (Username modifier set to %USERINPUT%) the SSH session terminates right after successful auth
  • 3021 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!