Test Authentication Server Connectivity
The test authentication feature enables you to verify whether the firewall or Panorama can communicate with the authentication server specified in an authentication profile and whether an authentication request succeeds for a specific user. You can test authentication profiles that authenticate administrators who access the web interface or that authenticate end users who access applications through GlobalProtect or Captive Portal. You can perform authentication tests on the candidate configuration to verify the configuration is correct before committing.
- Configure an authentication profile. You do not need to commit the authentication profile or server profile configuration before testing.
- Log into the firewall CLI.
- (Firewalls with multiple virtual systems) Define the target virtual system that the test command will access.This is required on firewalls with multiple virtual systems so that the test authentication command can locate the user you will test.Define the target virtual system by entering:admin@PA-3250>set system setting target-vsys<vsys-name>For example, if the user is defined in vsys2, enter:admin@PA-3250>set system setting target-vsys vsys2Thetarget-vsysoption is per login session; the firewall clears the option when you log off.
- Test the authentication profile by entering the following command:admin@PA-3250>test authentication authentication-profile<authentication-profile-name>username<username>passwordFor example, to test an authentication profile namedmy-profilefor a user namedbsimpson, enter:admin@PA-3250>test authentication authentication-profile my-profile username bsimpson passwordWhen running thetestcommand, the names of authentication profiles and server profiles are case sensitive. Also, if an authentication profile has a username modifier defined, you must enter the modifier with the username. For example, if you add the username modifier%USERINPUT%@%USERDOMAIN%for a user namedbsimpsonand the domain name ismydomain.com, email@example.com the username. This ensures that the firewall sends the correct credentials to the authentication server. In this example, mydomain.com is the domain that you define in theUser Domainfield in the authentication profile.
- View the test output.If the authentication profile is configured correctly, the output displaysAuthentication succeeded. If there is a configuration issue, the output displays information to help you troubleshoot the configuration.The output results vary based on several factors related to the authentication type that you are testing as well as the type of issue. For example, RADIUS and TACACS+ use different underlying libraries, so the same issue that exists for both of these types will produce different errors. Also, if there is a network problem, such as using an incorrect port or IP address in the authentication server profile, the output error is not specific. This is because the test command cannot perform the initial handshake between the firewall and the authentication server to determine details about the issue.