Admin Accounts Configured using RADIUS are not able to SSH to the Firewall

Admin Accounts Configured using RADIUS are not able to SSH to the Firewall

25654
Created On 09/26/18 19:16 PM - Last Modified 06/13/23 14:11 PM


Resolution


Issue

If a RADIUS admin user does not authenticate to the Palo Alto Networks firewall through the WebUI first, that user cannot authenticate through the SSH.

Cause

When configuring the local admin user on the Palo Alto Networks firewall, a home directory is created for that user. If an admin user's authentication profile is defined for RADIUS only, then the firewall does not have that user's corresponding home directory. In this case, the first time login through SSH fails because there is no home directory on the firewall. When the user firsts logs on through the WebUI, it will create that home directory for subsequent SSH logons.

Resolution

Admin accounts using RADIUS require a WebUI logon first, before the SSH logon works. An additional workaround for this issue is to configure local admin accounts on the firewall through the Device > Administrators tab for admins that would only have CLI command access.

owner: dmaynard
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm3qCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language