How to resolved the Authentication failed because of "rad_access_reject"

How to resolved the Authentication failed because of "rad_access_reject"

21691
Created On 04/22/20 19:23 PM - Last Modified 04/22/20 19:49 PM


Objective
How to resolved the Authentication failed because of "rad_access_reject"?

Environment
  • Pan-OS
  • Authentication
  • Radius


Procedure
resp_code = RAD_ACCESS_REJECT is the response that firewall is receiving from the Radius server. This document mention 2 most reason why the Redius  server reject the connection:

1-  Problem: Wrong shared secret

System logs show invalid username and password :
 
User 'TESTCORP\ggarrison' failed authentication. Reason: Invalid username/password From:10.66.18.1.



Authd log showed error " RAD_ACCESS_REJECT" with Radius error : Invalid RADIUS response received - Bad MD5

 
debug: pan_authd_service_req(pan_authd.c:3318): Authd:Trying to remote authenticate user: ggarrison

debug: pan_authd_service_auth_req(pan_authd.c:1158): AUTH Request <'','','ggarrison'> ggarrison admin is being authed

debug: pan_authd_handle_admin_auths(pan_authd.c:2246): Using auth prof v6-TestCorp-radius-auth for
admin ggarrison

debug: pan_authd_handle_admin_auths(pan_authd.c:2300): shared/v6-TestCorp-radius-auth is auth prof is of type (auth profile)

Error: pan_process_radius_auth(pan_authd.c:1033): Radius error : Invalid RADIUS response received - Bad MD5

Error: pan_authenticate_radius_user(pan_authd.c:2473): Unexpected error from radius server -1

authentication failed for remote user <TESTCORP\ggarrison(orig:ggarrison)>

debug: pan_authd_process_authresult(pan_authd.c:1353): pan_authd_process_authresult: TESTCORP\ggarrison authresult not auth'ed

debug: pan_authd_process_authresult(pan_authd.c:1399): Alarm generation set to: False.


Please make sure the shared secret is match in firewall and redius server .

2- AD server permission error: 

System logs show invalid username and password :
 
User 'admin' failed authentication. Reason: Invalid username/password From: 10.92.188.1.


Authd logs show errors"resp_code = RAD_ACCESS_REJECT"
 
2020-03-24 17:37:57.481 -0400 debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1829): Authenticating user "admin" with <profile: "ATC_Radius", vsys: "vsys1">
2020-03-24 17:37:57.481 -0400 debug: _retrieve_svr_ids(pan_auth_service.c:648): find auth server id vector for ATC_Radius-vsys1
2020-03-24 17:37:57.481 -0400 debug: pan_authd_radius_create_req_payload(pan_authd_radius.c:230): username: admin
2020-03-24 17:37:57.481 -0400 debug: pan_make_radius_request_buf(pan_authd_radius_prot.c:390): RADIUS request type: PAP
2020-03-24 17:37:57.792 -0400 debug: pan_authd_radius_parse_resp_payload(pan_authd_radius.c:285): resp_code = RAD_ACCESS_REJECT
2020-03-24 17:37:57.792 -0400 debug: pan_auth_service_recv_response(pan_auth_service_handle.c:1583): Got response for user: "admin"
2020-03-24 17:37:57.792 -0400 debug: pan_auth_response_process(pan_auth_state_engine.c:4298): auth status: auth failed
2020-03-24 17:37:57.792 -0400 debug: pan_auth_incr_failed_attempt(pan_authd_db.c:171): increase failed attempt for user: admin
2020-03-24 17:37:57.792 -0400 debug: pan_auth_response_process(pan_auth_state_engine.c:4477): Authentication failed: <profile: "ATC_Radius", vsys: "vsys1", username "admin">
2020-03-24 17:37:57.792 -0400 failed authentication for user 'admin'. Reason: Invalid username/password. auth profile 'ATC_Radius', vsys 'vsys1', server profile 'ATC_RAD_Servers', server address '10.90.7.60', auth protocol 'PAP', From: 10.92.188.1.
2020-03-24 17:37:57.792 -0400 debug: _log_auth_respone(pan_auth_server.c:268): Sent PAN_AUTH_FAILURE auth response for user 'admin' (exp_in_days=-1 (-1 never; 0 within a day))(authd_id: 6795007509200667545) (return domain 'corp')

Please check AD server permission :Under Active Directory Users and Computers, inside the user’s properties and under the Dial-in tab> Allow Access :

User-added image

 


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPkgCAG&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments