Palo Alto Networks Knowledgebase: Troubleshooting RADIUS Authentication

Troubleshooting RADIUS Authentication

11515
Created On 08/05/19 20:24 PM - Last Updated 08/05/19 20:36 PM
User-ID
Resolution

Confirm that group membership is correct:

  • Monitor tab > Logs > System
  • Look for “user is not in allow list”.

This means the user is not in the group selected in the Authentication Profile.

ss1.png

From the CLI run the command:

> show user pan-agent user-IDs

Search for the user name by typing “/” then the username to verify with which groups the Palo Alto Networks device is associating the user.

If the above error doesn't apply, the issue is likely with the RADIUS server.

Some common server issues include:

  • The wrong IP address is entered in the RADIUS server configuration.
  • The shared secret is mis-typed.  Do not paste the password into the Secret field.
  • The wrong IP address is entered in the RADIUS server client configuration.
  • The Radius server policy may be invalid due to:
    • Wrong Windows group
    • NAS-IP address
    • PAP

Events can be viewed on the RADIUS server in the event viewer > system logs > IAS

ss2.png

Windows 2008 Event Viewer – System logs, IAS

ss3.png

If the wrong IP is used in the Radius server configuration on the PAN, the following in the System Log on the firewall will be seen:

ss4.png

Use the following CLI command to verify the “authd.log”

> less mp-log authd.log

ss5.png

If the shared secret is incorrect the same error message will be in the Authd logs. An error similar to the following will be visible in the RADIUS server 2003 Event Viewer:

ss6.png

If the wrong IP address is used in the Client configuration on the Radius server, the following error messages will be in the windows event viewer.

ss7.png

ss8.png

The firewall will display the previous system log entry in the event of an invalid policy on the RADIUS server, but the Authd.log will be different:

ss9.png

If the wrong windows group, wrong NAS-IP address or if PAP authentication is not set up, the Event Viewer on the RADIUS server will display the following errors.

ss10.png

ss11.png

ss12.png

Successful Radius Authentication

> Monitor tab > Logs > System

ss13.png

> less mp-log authd.log

ss14.png

owner: bnitz



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CluUCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language