TACACS 配置不起作用-系统日志错误:原因:未为用户找到身份验证配置文件。
58709
Created On 04/15/20 19:52 PM - Last Modified 03/26/21 18:16 PM
Symptom
- 当 Tacacs 配置为身份验证时,用户无法登录。
- 系统日志错误:
2020/04/15 08:02:39 medium auth auth-fa 0 failed authentication for user 'username'. Reason: Authentication profile
not found for the user. From: 123.45.67.89.
2020/04/15 07:33:18 medium auth auth-fa 0 failed authentication for user 'username'. Reason: Authentication profile
not found for the user. From: 123.45.67.89.
- 打开 CLI : 测试身份验证命令成功:
> test authentication authentication-profile tacacs-profile username 'username' password
Enter password :
Target vsys is not specified, user "'username' is assumed to be configured with a shared auth profile.
Do allow list check before sending out authentication request...
name 'username' is in group "all"
Authentication to TACACS+ server at '123.45.67.88' for user ''username''
Server port: 49, timeout: 3, flag: 4
Egress: 10.10.10.10
Attempting PAP authentication ...
PAP authentication request is created
PAP authentication request is sent with priv_lvl=1 user='username' remote address=10.10.10.10
Authorization request is created
Authorization request sent with priv_lvl=1 user='username' service=PaloAlto protocol=firewall remote address=10.10.10.10
Authorization succeeded
Number of VSA returned: 1
VSA[0]: PaloAlto-Admin-Role=superuser
Authentication succeeded!
Authentication succeeded for user "username"Environment
- 任何 PAN-OS .
- 帕洛阿尔托 Firewall .
- TACACS+用于身份验证的配置。
Cause
- 身份验证配置文件在"设备设置"下设置为">">管理>设置
- 身份验证配置文件需要更新才能用于非本地管理员。 仅 RADIUS TACACS 支持+和 SAML 方法。
Resolution
- 该 firewall 配置用于 设备> 设置 > 管理 下的所有外部管理员的身份验证配置文件,并编辑身份验证设置。
- 选择已配置的身份验证配置 TACACS 文件{配置文件}并提交更改。
Additional Information
输出: 尾部遵循是 mp - log 身份验证.log如下所示:
debug: pan_auth_request_process(pan_auth_state_engine.c:3358): Receive request: msg type PAN_AUTH_REQ_REMOTE_INIT_AUTH,
conv id 2, body length 2416
debug: _authenticate_initial(pan_auth_state_engine.c:2383): Trying to authenticate (init auth): <profile: "", vsys: "",
policy: "", username "'username'"> ; timeout setting: 180 secs ; authd id: 6813065420023529573
debug: _get_auth_prof_detail(pan_auth_util.c:1081): admin user thru WebUI ''username''
Error: pan_auth_cache_get_admin_authprof(pan_auth_cache_adminusers.c:260): No default auth profile found for username
''username''
Error: _get_admin_authentication_profile_by_name(pan_auth_util.c:551): No admin auth prof found with the name ''username''
Error: _get_admin_authentication_profile(pan_auth_util.c:596): No auth prof/vsys is found for admin user ''username''
Error: pan_get_authprofile_n_setting(pan_auth_util.c:1156): Failed to get authentication profile for admin user thru
WebUI ''username'' failed authentication for user ''username''. Reason: Authentication profile not found for the user.
From: 123.45.67.89.
debug: _log_auth_respone(pan_auth_server.c:268): Sent PAN_AUTH_FAILURE auth response for user 'username'' (exp_in_days=-1
(-1 never; 0 within a day))(authd_id: 6813065420023529573)
Error: _authenticate_initial(pan_auth_state_engine.c:2551): Failed to get authentication profile