Palo Alto Networks Knowledgebase: Admin Accounts Configured using RADIUS are not able to SSH to the Firewall

Admin Accounts Configured using RADIUS are not able to SSH to the Firewall

9624
Created On 02/07/19 23:38 PM - Last Updated 02/07/19 23:38 PM
Resolution

Issue

If a RADIUS admin user does not authenticate to the Palo Alto Networks firewall through the WebUI first, that user cannot authenticate through the SSH.

Cause

When configuring the local admin user on the Palo Alto Networks firewall, a home directory is created for that user. If an admin user's authentication profile is defined for RADIUS only, then the firewall does not have that user's corresponding home directory. In this case, the first time login through SSH fails because there is no home directory on the firewall. When the user firsts logs on through the WebUI, it will create that home directory for subsequent SSH logons.

Resolution

Admin accounts using RADIUS require a WebUI logon first, before the SSH logon works. An additional workaround for this issue is to configure local admin accounts on the firewall through the Device > Administrators tab for admins that would only have CLI command access.

owner: dmaynard



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm3qCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language