The test authentication feature enables you
to verify whether the firewall or Panorama can communicate with
the authentication server specified in an authentication profile
and whether an authentication request succeeds for a specific user.
You can test authentication profiles that authenticate administrators
who access the web interface or that authenticate end users who
access applications through GlobalProtect or Authentication Portal.
You can perform authentication tests on the candidate configuration
to verify the configuration is correct before committing.
the target virtual system that the test command will access.
This is required on firewalls with multiple virtual systems
so that the test authentication command can locate the user you
Define the target virtual system by entering:
set system setting target-vsys
example, if the user is defined in vsys2, enter:
set system setting target-vsys vsys2
is per login session; the firewall clears the option when you log
Test the authentication profile by entering the following
test authentication authentication-profile
example, to test an authentication profile named
a user named
test authentication authentication-profile my-profile username bsimpson password
command, the names of authentication
profiles and server profiles are case sensitive. Also, if an authentication
profile has a username modifier defined, you must enter the modifier
with the username. For example, if you add the username modifier
a user named
and the domain name
the username. This ensures that the firewall sends the correct credentials
to the authentication server. In this example, mydomain.com is the
domain that you define in the
in the authentication profile.
View the test output.
If the authentication profile is configured correctly,
the output displays
If there is a configuration issue, the output displays information
to help you troubleshoot the configuration.
results vary based on several factors related to the authentication
type that you are testing as well as the type of issue. For example,
RADIUS and TACACS+ use different underlying libraries, so the same
issue that exists for both of these types will produce different
errors. Also, if there is a network problem, such as using an incorrect
port or IP address in the authentication server profile, the output
error is not specific. This is because the test command cannot perform
the initial handshake between the firewall and the authentication
server to determine details about the issue.