Admin Accounts Configured using RADIUS are not able to SSH to the Firewall
If a RADIUS admin user does not authenticate to the Palo Alto Networks firewall through the WebUI first, that user cannot authenticate through the SSH.
When configuring the local admin user on the Palo Alto Networks firewall, a home directory is created for that user. If an admin user's authentication profile is defined for RADIUS only, then the firewall does not have that user's corresponding home directory. In this case, the first time login through SSH fails because there is no home directory on the firewall. When the user firsts logs on through the WebUI, it will create that home directory for subsequent SSH logons.
Admin accounts using RADIUS require a WebUI logon first, before the SSH logon works. An additional workaround for this issue is to configure local admin accounts on the firewall through the Device > Administrators tab for admins that would only have CLI command access.