Panorama Authentication to Radius Cisco Secure ACS Server not Working
Resolution
Overview
Configured Panorama to authenticate to Radius Cisco Secure ACS server. Imported the VSA file and set up the Panorama server in Radius ACS and the Radius ACS server in Panorama.
Issue
When trying to log into Panorama with the ACS user getting: "invalid username or password". The ACS log is showing an attempt form Panorama to login but failed with the error: External DB user invalid or bad password.
Resolution
Use the following CLI command to examine the authentication logs and look for an error message:
> less mp-log authd.log
A successful login message is shown below:
May 17 15:59:41 pan_authd_service_req(pan_authd.c:2396): Authd:Trying to remote authenticate user: admin
May 17 15:59:41 pan_authd_service_auth_req(pan_authd.c:1073): AUTH Request <'','','admin'>
May 17 15:59:42 admin admin is being authed using local acct
May 17 15:59:42 pan_authd_authenticate_service(pan_authd.c:626): authentication succeeded (0)
May 17 15:59:42 pan_authd_authenticate_service(pan_authd.c:632): account is valid
May 17 15:59:42 Authenticating local admin admin succeeded
May 17 15:59:42 pan_authd_process_authresult(pan_authd.c:1204): pan_authd_process_authresult: admin authresult auth'ed
May 17 15:59:42 User 'admin' authenticated. From: 10.20.0.186.
May 17 15:59:42 pan_get_system_cmd_output(pan_cfg_utils.c:3025): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
May 17 15:59:42 pan_authd_generate_system_log(pan_authd.c:805): CC Enabled=False
May 17 15:59:42 pan_get_system_cmd_output(pan_cfg_utils.c:3025): executing: /usr/local/bin/sdb -n -r cfg.operational-mode
May 17 15:59:44 Warning: elog_callback(pan_elog.c:41): Elog being proxied
May 17 16:00:54 Error: pan_cfg_parse_authprofiles(pan_authd_ludb.c:926): failed attempts value missing
May 17 16:00:54 Error: pan_authd_get_sysd_multivsys(pan_authd.c:3209): failed to fetch: NO_MATCHES
May 17 16:00:54 Error: pan_cfg_parse_authprofiles(pan_authd_ludb.c:926): failed attempts value missing
May 17 16:00:54 In >> pan_cfg_parse_adminusers
May 17 16:00:54 pan_cfg_parse_adminusers(pan_authd_ludb.c:714): admin user entry missing authentication profile
May 17 16:00:54 pan_ludb_parse_commit_candidate(pan_authd_ludb.c:1170): CC Enabled set to: False.
May 17 16:00:54 pan_ludb_parse_commit_candidate(pan_authd_ludb.c:1180): Skip Authentication failure logs set to False.
May 17 16:00:54 pan_ludb_parse_commit_candidate(pan_authd_ludb.c:1187): Skip Authentication successs logs set to False.
May 17 16:00:54 pan_authd_config_phase1(pan_authd.c:2690): config phase 1 completed
May 17 16:01:57 pan_authd_config_phase2(pan_authd.c:2734): Authd Config phase 2 begin
owner: bpappas