How to Identify Secret Key Mismatch Between Palo Alto Networks Firewall and RADIUS Server
The Palo Alto Networks firewall is configured to use RADIUS authentication for administrative login. However, the administrator is unable to log in to the firewall, and the following error appears: failed authentication. Reason: Invalid username/password.
The issue may be due to a mismatch of the 'secret key' between the firewall and RADIUS server.
Login to the firewall using the CLI and follow the steps below:
- Enter the following command:
> tail follow yes mp-log authd.log
- While keeping the CLI open, attempt to log in to the GUI using the RADIUS credentials.
- Check for the following error in the CLI output:
Error: pan_authenticate_radius_user(pan_authd.c:2450): Unexpected error from radius server -1
- If the error message appears, the secret keys may not be configured correctly. Make sure the secret keys are configured identical on both PA firewall and the RADIUS server.
Example of error message in authd.log: