Test the Authentication Configuration
Use the test authentication command to determine if your firewall or Panorama management server can communicate with a back-end authentication server and if the authentication request was successful. You can additionally test authentication profiles used for GlobalProtect and Captive Portal authentication. You can perform authentication tests on the candidate configuration, so that you know the configuration is correct before committing.
Connectivity testing is supported for local database authentication and for external authentication servers that use multi-factor authentication (MFA), RADIUS, TACACS+, LDAP, or Kerberos.
- (Vsys-specific authentication profiles only)
Specify which virtual system contains the authentication profile
you want to test. This is only necessary if you are testing an authentication
profile that is specific to a single virtual system (that is, you
do not need to do this if the authentication profile is shared).
admin@PA-3060> set system setting target-vsys <vsys-name>For example, to test an authentication profile in vsys2 you would enter the following command:
admin@PA-3060> set system setting target-vsys vsys2The set system setting target-vsys command is not persistent across sessions.
- Test an authentication profile by entering the following
admin@PA-3060> test authentication authentication-profile <authentication-profile-name> username <username> passwordYou will be prompted for the password associated with the user account.Profile names are case-sensitive. Also, if the authentication profile has a username modifier defined, you must enter it with the username. For example, if the username modifier is %USERINPUT%@%USERDOMAIN%, for a user named bzobrist in domain acme.com, you would need to enter email@example.com as the username.For example, run the following command to test connectivity with a Kerberos server defined in an authentication profile named Corp, using the login for the LDAP user credentials for user bzobrist:
admin@PA-3060> test authentication authentication-profile Corp username bzobrist password Enter password : Target vsys is not specified, user "bzobrist" is assumed to be configured with a shared auth profile. Do allow list check before sending out authentication request... name "bzobrist" is in group "all" Authentication to KERBEROS server at '10.1.2.10' for user 'bzobrist' Realm: 'ACME.LOCAL' Egress: 10.55.0.21 KERBEROS configuration file is created KERBEROS authcontext is created. Now authenticating ... Kerberos principal is created Sending authentication request to KDC... Authentication succeeded! Authentication succeeded for user "bzobrist"To test a SAML-based authentication profile, enter the following command, then copy the URL from the output and paste it into a browser:
admin@PA-VM-8.0> test generate-saml-url <captive-portal|global-protect|management><interface> authprofile<authentication-profile-name>vsys <vsysid>ip-hostname <ip-address>For example, run the following command to test the SAML authentication for Captive Portal that is defined in the authentication profile named Admin_AuthProfile on the virtual system vsys1 for IP address 192.0.2.0:
admin@PA-VM-8.0> test generate-saml-url captive-portal authprofile Admin_AuthProfile
Test Authentication Server Connectivity
Test Authentication Server Connectivity The test authentication feature enables you to verify whether the firewall or Panorama can communicate with the authentication server specified in ...
Set Up Kerberos Authentication
Set Up Kerberos Authentication Kerberos is a computer network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure ...
Configure Local or External Authentication for Firewall Adm...
Configure Local or External Authentication for Firewall Administrators You can use Local Authentication and External Authentication Services to authenticate administrators who access the firewall. These ...
Configure an Authentication Profile
Authentication Profile Device > Authentication Profile Select Device Authentication Profile or Panorama Authentication Profile to manage authentication profiles. To create a new profile, Add one ...
Configure Local or External Authentication for Panorama Administrators
Configure Local or External Authentication for Panorama Administrators You can use an external authentication service or the service that is local to Panorama to authenticate ...
Configure Kerberos Server Authentication
Configure Kerberos Server Authentication You can use Kerberos to natively authenticate end users and firewall or Panorama administrators to an Active Directory domain controller or ...
Device > Authentication Sequence
Device > Authentication Sequence Device > Authentication Sequence Panorama > Authentication Sequence In some environments, user accounts reside in multiple directories (such as LDAP and ...
Kerberos Kerberos is an authentication protocol that enables a secure exchange of information between parties over an insecure network using unique keys (called tickets) to ...
Objects > Authentication
Objects > Authentication An authentication enforcement object specifies the method and service to use for authenticating end users who access your network resources. You assign ...