Followed this KB https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClS6CAK The authentication shows successful on the inbound to Clearpass and meets all the policies required for successful login. However the Palo sits at the login then eventually fails after about 5-10 seconds and indicates incorrect login credentials. Palo System logs indicate Authentication failure failed authentication for user 'test.user'. auth profile 'PALO-CLEARPASS', vsys 'shared', server profile ' PALO-Clearpass ', server address '10.x.x.x', auth protocol 'PAP', From: 10.x.x.x. Auth d logs shows 2021-09-03 17:55:44.886 +1000 debug: pan_authd_radius_create_req_payload(pan_authd_radius.c:230): username: test.user 2021-09-03 17:55:44.886 +1000 debug: pan_make_radius_request_buf(pan_authd_radius_prot.c:390): RADIUS request type: PAP 2021-09-03 17:55:49.886 +1000 debug: auth_svr_timeout_sent_request(pan_auth_svr.c:272): timeout: authd id=6842217317271730159, username=test.user, protocol req id=123, retries=3 (max allowed retries #: 3), elapsed sec=13 (max allowed secs: 180) 2021-09-03 17:55:49.886 +1000 debug: pan_auth_response_process(pan_auth_state_engine.c:4290): auth status: auth timed out 2021-09-03 17:55:49.886 +1000 debug: pan_auth_response_process(pan_auth_state_engine.c:4529): Auth FAILED for user "test.user" thru <"PALO-CLEARPASS", "shared">: remote server 10.x.x.x.x of server profile "PALO-Clearpas s" is down, or in retry interval, or request timed out (elapsed time 13 secs, max allowed 180 secs) 2021-09-03 17:55:49.886 +1000 debug: pan_auth_response_process(pan_auth_state_engine.c:4571): Authentication failed: <profile: "PALO-CLEARPASS", vsys: "shared", username "test.user"> 2021-09-03 17:55:49.886 +1000 Error: pan_set_admin_user_stat(pan_auth_admin_login_stat.c:260): Admin user "test.user" home dir "/opt/pancfg/home/test.user" has NOT created yet 2021-09-03 17:55:49.886 +1000 Error: pan_auth_send_auth_resp(pan_auth_server.c:646): pan_set_admin_user_stat("test.user", False) 2021-09-03 17:55:49.887 +1000 failed authentication for user 'test.user'. auth profile 'PALO-CLEARPASS', vsys 'shared', server profile 'PALO-Clearpass', server address '10.x.x.x.', auth protocol 'PAP', From: 10.x.x.x.x What could be causing this issue? Also another question is When using RADIUS authentication for management(GUI/SSH) of firewall do you add the administrator test.user manually in administrators of GUI and specify the authentication profile for RADIUS on a per-user basis??? - GUI > Device > Administrators > adding the user there??
... View more