Test Authentication Server Connectivity
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Test Authentication Server Connectivity
The test authentication feature enables you
to verify whether the firewall or Panorama can communicate with
the authentication server specified in an authentication profile
and whether an authentication request succeeds for a specific user.
You can test authentication profiles that authenticate administrators
who access the web interface or that authenticate end users who
access applications through GlobalProtect or Authentication Portal.
You can perform authentication tests on the candidate configuration
to verify the configuration is correct before committing.
- Configure an authentication profile. You do not need to commit the authentication profile or server profile configuration before testing.Log into the firewall CLI.(Firewalls with multiple virtual systems) Define the target virtual system that the test command will access.This is required on firewalls with multiple virtual systems so that the test authentication command can locate the user you will test.Define the target virtual system by entering:
admin@PA-325060> set system setting target-vsys <vsys-name>
For example, if the user is defined in vsys2, enter:admin@PA-3250> set system setting target-vsys vsys2
The target-vsys option is per login session; the firewall clears the option when you log off.Test the authentication profile by entering the following command:admin@PA-3250> test authentication authentication-profile <authentication-profile-name> username <username> password
For example, to test an authentication profile named my-profile for a user named bsimpson, enter:admin@PA-3250> test authentication authentication-profile my-profile username bsimpson password
When running the test command, the names of authentication profiles and server profiles are case sensitive. Also, if an authentication profile has a username modifier defined, you must enter the modifier with the username. For example, if you add the username modifier %USERINPUT%@%USERDOMAIN% for a user named bsimpson and the domain name is mydomain.com, enter bsimpson@mydomain.com as the username. This ensures that the firewall sends the correct credentials to the authentication server. In this example, mydomain.com is the domain that you define in the User Domain field in the authentication profile.View the test output.If the authentication profile is configured correctly, the output displays Authentication succeeded. If there is a configuration issue, the output displays information to help you troubleshoot the configuration.The output results vary based on several factors related to the authentication type that you are testing as well as the type of issue. For example, RADIUS and TACACS+ use different underlying libraries, so the same issue that exists for both of these types will produce different errors. Also, if there is a network problem, such as using an incorrect port or IP address in the authentication server profile, the output error is not specific. This is because the test command cannot perform the initial handshake between the firewall and the authentication server to determine details about the issue.