Palo Alto Networks Knowledgebase: How to Identify Secret Key Mismatch Between Palo Alto Networks Firewall and RADIUS Server

How to Identify Secret Key Mismatch Between Palo Alto Networks Firewall and RADIUS Server

2438
Created On 02/07/19 23:42 PM - Last Updated 02/07/19 23:42 PM
Resolution

Issue

The Palo Alto Networks firewall is configured to use RADIUS authentication for administrative login. However, the administrator is unable to log in to the firewall, and the following error appears: failed authentication.  Reason: Invalid username/password.

Solution

The issue may be due to a mismatch of the 'secret key' between the firewall and RADIUS server.

Login to the firewall using the CLI and follow the steps below:

  1. Enter the following command:
    > tail follow yes mp-log authd.log
  2. While keeping the CLI open, attempt to log in to the GUI using the RADIUS credentials.
  3. Check for the following error in the CLI output:
    Error: pan_authenticate_radius_user(pan_authd.c:2450): Unexpected error from radius server -1
  4. If the error message appears, the secret keys may not be configured correctly. Make sure the secret keys are configured identical on both PA firewall and the RADIUS server.

Example of error message in authd.log:

radius-error-1.JPG

owner: sgantait



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm0HCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language