How to Identify Secret Key Mismatch Between Palo Alto Networks Firewall and RADIUS Server

How to Identify Secret Key Mismatch Between Palo Alto Networks Firewall and RADIUS Server

0
Created On 09/26/18 13:54 PM - Last Modified 07/19/22 23:11 PM


Resolution


Issue

The Palo Alto Networks firewall is configured to use RADIUS authentication for administrative login. However, the administrator is unable to log in to the firewall, and the following error appears: failed authentication.  Reason: Invalid username/password.

Solution

The issue may be due to a mismatch of the 'secret key' between the firewall and RADIUS server.

Login to the firewall using the CLI and follow the steps below:

  1. Enter the following command:
    > tail follow yes mp-log authd.log
  2. While keeping the CLI open, attempt to log in to the GUI using the RADIUS credentials.
  3. Check for the following error in the CLI output:
    Error: pan_authenticate_radius_user(pan_authd.c:2450): Unexpected error from radius server -1
  4. If the error message appears, the secret keys may not be configured correctly. Make sure the secret keys are configured identical on both PA firewall and the RADIUS server.

Example of error message in authd.log:

radius-error-1.JPG

owner: sgantait
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm0HCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail