PAN-OS CLI Quick Start
    : Test the Authentication Configuration
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. PAN-OS CLI Quick Start
    4. Use the CLI
    5. Test the Configuration
    6. Test the Authentication Configuration
    Download PDF

    PAN-OS CLI Quick Start

    Test the Authentication Configuration

    Table of Contents
    End-of-Life (EoL)

    Test the Authentication Configuration

    Use the test authentication command to determine if your firewall or Panorama management server can communicate with a back-end authentication server and if the authentication request was successful. You can additionally test authentication profiles used for GlobalProtect and Captive Portal authentication. You can perform authentication tests on the candidate configuration, so that you know the configuration is correct before committing.
    Connectivity testing is supported for local database authentication and for external authentication servers that use multi-factor authentication (MFA), RADIUS, TACACS+, LDAP, Kerberos, or SAML.
    1. (Vsys-specific authentication profiles only) Specify which virtual system contains the authentication profile you want to test. This is only necessary if you are testing an authentication profile that is specific to a single virtual system (that is, you do not need to do this if the authentication profile is shared).
      admin@PA-3060> set system setting target-vsys <vsys-name>
      For example, to test an authentication profile in vsys2 you would enter the following command:
      admin@PA-3060> set system setting target-vsys vsys2
      The set system setting target-vsys command is not persistent across sessions.
    2. Test an authentication profile by entering the following command:
      admin@PA-3060> test authentication authentication-profile <authentication-profile-name> username <username> password
      You will be prompted for the password associated with the user account.
      Profile names are case-sensitive. Also, if the authentication profile has a username modifier defined, you must enter it with the username. For example, if the username modifier is %USERINPUT%@%USERDOMAIN%, for a user named bzobrist in domain acme.com, you would need to enter bzobrist@acme.com as the username.
      For example, run the following command to test connectivity with a Kerberos server defined in an authentication profile named Corp, using the login for the LDAP user credentials for user bzobrist:
      admin@PA-3060> test authentication authentication-profile Corp username bzobrist password 
Enter password : 
 
Target vsys is not specified, user "bzobrist" is assumed to be configured with a 
shared auth profile. 
 
Do allow list check before sending out authentication request... 
name "bzobrist" is in group "all" 
 
Authentication to KERBEROS server at '10.1.2.10' for user 'bzobrist' 
Realm: 'ACME.LOCAL' 
Egress: 10.55.0.21 
KERBEROS configuration file is created 
KERBEROS authcontext is created. Now authenticating ... 
Kerberos principal is created 
Sending authentication request to KDC... 
Authentication succeeded! 
 
Authentication succeeded for user "bzobrist"

    © 2025 Palo Alto Networks, Inc. All rights reserved.