Troubleshoot Authentication Issues

When users fail to authenticate to a Palo Alto Networks firewall or Panorama, or the Authentication process takes longer than expected, analyzing authentication-related information can help you determine whether the failure or delay resulted from:
  • User behavior
    —For example, users are locked out after entering the wrong credentials or a high volume of users are simultaneously attempting access.
  • System or network issues
    —For example, an authentication server is inaccessible.
  • Configuration issues
    —For example, the Allow List of an authentication profile doesn’t have all the users it should have.
The following CLI commands display information that can help you troubleshoot these issues:
Task
Command
Display the number of locked user accounts associated with the authentication profile (
auth-profile
), authentication sequence (
is-seq
), or virtual system (
vsys
).
To unlock users, use the following operational command:
>
request authentication [unlock-admin | unlock-user]
show authentication locked-users    {    vsys
<value>
|    auth-profile
<value>
|    is-seq       {yes | no}       {auth-profile | vsys}
<value>
   }
Use the
debug authentication
command to troubleshoot authentication events.
Use the
show
options to display authentication request statistics and the current debugging level:
  • show
    displays the current debugging level for the authentication service (authd).
  • show-active-requests
    displays the number of active checks for authentication requests, allow lists, locked user accounts, and Multi-Factor Authentication (MFA) requests.
  • show-pending-requests
    displays the number of pending checks for authentication requests, allow lists, locked user accounts, and MFA requests.
  • connection-show
    displays authentication request and response statistics for all authentication servers or for a specific protocol type.
Use the
connection-debug
options to enable or disable authentication debugging:
  • Use the
    on
    option to enable or the
    off
    option to disable debugging for authd.
  • Use the
    connection-debug-on
    option to enable or the
    connection-debug-off
    option to disable debugging for all authentication servers or for a specific protocol type.
debug authentication    {    on {debug | dump | error | info | warn} |    show |    show-active-requests |    show-pending-requests |        connection-show |       {       connection-id |       protocol-type          {          Kerberos connection-id
<value>
|          LDAP connection-id
<value>
|          RADIUS connection-id
<value>
|          TACACS+ connection-id
<value>
|          }    connection-debug-on |       {       connection-id |       debug-prefix |       protocol-type          {          Kerberos connection-id
<value>
|          LDAP connection-id
<value>
|          RADIUS connection-id
<value>
|          TACACS+ connection-id
<value>
|          }    connection-debug-off |       {       connection-id |       protocol-type          {          Kerberos connection-id
<value>
|          LDAP connection-id <value> |          RADIUS connection-id <value> |          TACACS+ connection-id <value> |          }    connection-debug-on    }

Related Documentation