How to troubleshoot Radius authentication failures

To Troubleshoot Authentication failure messages when Radius Server is configured.

• Palo Alto Firewall or Panorama
• Supported PAN-OS
• Radius Authentication

1. Verify the System Log messages to confirm authentication failure (CLI "show log system" or GUI: Monitor > Logs > System)
2. Generally the messages indicate "failed authentication"

User 'TESTCORP\xxxxxx' failed authentication. Reason: Invalid username/password From:x.y.m.n.

3. Open the authd.log (less mp-log authd.log) and verify the logs at the same time.

debug: pan_authd_radius_create_req_payload(pan_authd_radius.c:230): username: xxxxxx
debug: pan_make_radius_request_buf(pan_authd_radius_prot.c:390): RADIUS request type: PAP
debug: pan_authd_radius_parse_resp_payload(pan_authd_radius.c:285): resp_code = RAD_ACCESS_REJECT
debug: pan_auth_service_recv_response(pan_auth_service_handle.c:1612): Got response for user: "t118009"
Error: pan_rad_process_response(pan_authd_radius_prot.c:255): Invalid RADIUS response received - Bad MD5, it might be caused by mismatched shared secret between server profile and remote RADIUS server

4. If the messages indicate "RAD_ACCESS_REJECT" followed by "Bad MD5", generally it is the wrong shared secret. Correct the shared secret to resolve the issue.
5. If the messages indicate "RAD_ACCESS_REJECT" followed by "PAN_AUTH_FAILURE auth response for user", generally the password or Remote Dial-in access is not granted

debug: _authenticate_by_localdb_or_remote_server(pan_auth_state_engine.c:1829): Authenticating user "xxxxx" with <profile: "XYX_Radius", vsys: "vsys1">
debug: _retrieve_svr_ids(pan_auth_service.c:648): find auth server id vector for XYX_Radius-vsys1
debug: pan_authd_radius_create_req_payload(pan_authd_radius.c:230): username: xxxxx
debug: pan_make_radius_request_buf(pan_authd_radius_prot.c:390): RADIUS request type: PAP
debug: pan_authd_radius_parse_resp_payload(pan_authd_radius.c:285): resp_code = RAD_ACCESS_REJECT
debug: pan_auth_service_recv_response(pan_auth_service_handle.c:1583): Got response for user: "xxxxx"
debug: pan_auth_response_process(pan_auth_state_engine.c:4298): auth status: auth failed
debug: pan_auth_incr_failed_attempt(pan_authd_db.c:171): increase failed attempt for user: admin
debug: pan_auth_response_process(pan_auth_state_engine.c:4477): Authentication failed: <profile: "XYX_Radius", vsys: "vsys1", username "xxxxx">
failed authentication for user 'admin'. Reason: Invalid username/password. auth profile 'XYX_Radius', vsys 'vsys1', server profile 'XYX_RAD_Servers', server address '10.90.X.T', auth protocol 'PAP', From: 10.92.M.N.
debug: _log_auth_respone(pan_auth_server.c:268): Sent PAN_AUTH_FAILURE auth response for user 'xxxxx' (exp_in_days=-1 (-1 never; 0 within a day))(authd_id: 6795007509200667545) (return domain 'corp')

6. If the password is correct, Check AD server permission :Under Active Directory Users and Computers, inside the user’s properties and under the Dial-in tab> Allow Access :