Login Error: "Invalid user" when being Authorised via TACACS+ for Managment User
21486
Created On 12/07/18 03:07 AM - Last Modified 08/06/21 22:24 PM
Symptom
- Configured Firewall admin user to be Authorised via TACACS+
- Logging into the firewall we are receiving the error "Invalid user"
- Seeing response "Could not get user role for user" from authd.log on CLI
> less mp-log authd.log 2018-11-12 18:17:35.941 +0530 debug: pan_authd_handle_group_req(pan_auth_state_engine.c:1395): start to authorize user "testAdminUser" 2018-11-12 18:17:35.941 +0530 debug: pan_authd_handle_group_req(pan_auth_state_engine.c:1408): Could not get user role for user testAdminUser
Environment
- PAN-OS
- TACACS+ Authentication for Management users
Cause
THe VSA Attribute and Value "Cisco-av-pair = SecurityAdmin" configured on the TACACS+ server is not recognize or supported by PAN-OS.
See authd.log below
> less mp-log authd.log
2018-11-12 18:17:35.262 +0530 debug: pan_authd_tacplus_authenticate(pan_authd_shared_tacplus.c:315): VSA from Tacacs+ server: attr[0] - Cisco-av-pair=SecurityAdmin
2018-11-12 18:17:35.262 +0530 VSA attr: Cisco-av-pair = SecurityAdmin
Resolution
Configure the TACACS+ server with specific Vendor Specific Attributes (VSA). We should have PaloAlto-Admin-Role VSA for Firewall user and PaloAlto-Panorama-Admin-Role VSA for Panorama User defined on TACACS+
Additional Information
Configure TACACS+ Authentication
Palo Alto Networks Management Access through TACACS