Test the Authentication Configuration

Use the test authentication command to determine if your firewall or Panorama management server can communicate with a back-end authentication server and if the authentication request was successful. You can additionally test authentication profiles used for GlobalProtect and Captive Portal authentication. You can perform authentication tests on the candidate configuration, so that you know the configuration is correct before committing.
Connectivity testing is supported for local database authentication and for external authentication servers that use multi-factor authentication (MFA), RADIUS, TACACS+, LDAP, or Kerberos.
  1. (Vsys-specific authentication profiles only) Specify which virtual system contains the authentication profile you want to test. This is only necessary if you are testing an authentication profile that is specific to a single virtual system (that is, you do not need to do this if the authentication profile is shared).
    admin@PA-3060> set system setting target-vsys <vsys-name>
    For example, to test an authentication profile in vsys2 you would enter the following command:
    admin@PA-3060> set system setting target-vsys vsys2
    The set system setting target-vsys command is not persistent across sessions.
  2. Test an authentication profile by entering the following command:
    admin@PA-3060> test authentication authentication-profile <authentication-profile-name> username <username> password
    You will be prompted for the password associated with the user account.
    Profile names are case-sensitive. Also, if the authentication profile has a username modifier defined, you must enter it with the username. For example, if the username modifier is %USERINPUT%@%USERDOMAIN%, for a user named bzobrist in domain acme.com, you would need to enter bzobrist@acme.com as the username.
    For example, run the following command to test connectivity with a Kerberos server defined in an authentication profile named Corp, using the login for the LDAP user credentials for user bzobrist:
    admin@PA-3060> test authentication authentication-profile Corp username bzobrist password 
    Enter password : 
     
    Target vsys is not specified, user "bzobrist" is assumed to be configured with a 
    shared auth profile. 
     
    Do allow list check before sending out authentication request... 
    name "bzobrist" is in group "all" 
     
    Authentication to KERBEROS server at '10.1.2.10' for user 'bzobrist' 
    Realm: 'ACME.LOCAL' 
    Egress: 10.55.0.21 
    KERBEROS configuration file is created 
    KERBEROS authcontext is created. Now authenticating ... 
    Kerberos principal is created 
    Sending authentication request to KDC... 
    Authentication succeeded! 
     
    Authentication succeeded for user "bzobrist" 
    To test a SAML-based authentication profile, enter the following command, then copy the URL from the output and paste it into a browser:
    admin@PA-VM-8.0> test generate-saml-url <captive-portal|global-protect|management><interface> authprofile<authentication-profile-name>vsys <vsysid>ip-hostname <ip-address>
    For example, run the following command to test the SAML authentication for Captive Portal that is defined in the authentication profile named Admin_AuthProfile on the virtual system vsys1 for IP address 192.0.2.0:
    admin@PA-VM-8.0> test generate-saml-url captive-portal authprofile Admin_AuthProfile
    https://192.0.2.0/SAML20/SP/TEST?vsys=vsys1&authprofile=Admin_AuthProfile

Related Documentation