'Invalid user. Please login using a valid account' observed on CLI after login

• Device is using RADIUS or TACACS authentication for management access to the CLI.
• Custom Admin Roles are configured on RADIUS/TACACS Server for the associated user.
• When accessing CLI using SSH, authd logs (less mp-log authd.log) confirm the user is successfully authenticated. 

debug: pan_auth_service_recv_response(pan_auth_service_handle.c:1684): Got response for user: "<username>" 
debug: pan_auth_response_process(pan_auth_state_engine.c:4557): auth status: auth success

• After successful login there is an error 'Invalid user. Please login using a valid account' presented in the CLI window and the session is then closed.
• Checking the authentication logs on the RADIUS or TACACS server also confirm a successful login.
   

• Palo Alto Firewalls or Panorama
• Supported PAN-OS
• Radius or TACACS Authentication
• Custom admin roles

1. Identify the admin role being pushed from the RADIUS / TACACS server from the authd debug logs (less mp-log authd.log) similar to the logs below.

debug: pan_authd_radius_parse_resp_payload(pan_authd_radius.c:301): admin role = <admin role name>

2. Navigate to Device (or Panorama) > Admin Roles > Click on the configured role > 'Command Line' tab.
3. Check if the value set to 'none'. If so then set the role to match the "RADIUS/TACACS" one and commit. This should resolve the issue.
4. If the admin role seen in the authd logs is different from the one set under command line,  change the role configured on the RADIUS / TACACS server to match the value configured on PAN-OS device.

• Radius Documentation
• Tacacs Documentation