Test Authentication Server Connectivity

The test authentication feature enables you to verify whether the firewall or Panorama can communicate with the authentication server specified in an authentication profile and whether an authentication request succeeds for a specific user. You can test authentication profiles that authenticate administrators who access the web interface or that authenticate end users who access applications through GlobalProtect or Captive Portal. You can perform authentication tests on the candidate configuration to verify the configuration is correct before committing.
  1. Configure an authentication profile. You do not need to commit the authentication profile or server profile configuration before testing.
  2. Log into the firewall CLI.
  3. (
    Firewalls with multiple virtual systems
    ) Define the target virtual system that the test command will access.
    This is required on firewalls with multiple virtual systems so that the test authentication command can locate the user you will test.
    Define the target virtual system by entering:
    admin@PA-3060>
    set system setting target-vsys
    <vsys-name>
    For example, if the user is defined in vsys2, enter:
    admin@PA-3060>
    set system setting target-vsys vsys2
    The
    target-vsys
    option is per login session; the firewall clears the option when you log off.
  4. Test the authentication profile by entering the following command:
    admin@PA-3060>
    test authentication authentication-profile
    <authentication-profile-name>
    username
    <username>
    password
    For example, to test an authentication profile named
    my-profile
    for a user named
    bsimpson
    , enter:
    admin@PA-3060>
    test authentication authentication-profile my-profile username bsimpson password
    When running the
    test
    command, the names of authentication profiles and server profiles are case sensitive. Also, if an authentication profile has a username modifier defined, you must enter the modifier with the username. For example, if you add the username modifier
    %USERINPUT%@%USERDOMAIN%
    for a user named
    bsimpson
    and the domain name is
    mydomain.com
    , enter
    bsimpson@mydomain.com
    as the username. This ensures that the firewall sends the correct credentials to the authentication server. In this example, mydomain.com is the domain that you define in the
    User Domain
    field in the authentication profile.
  5. View the test output.
    If the authentication profile is configured correctly, the output displays
    Authentication succeeded
    . If there is a configuration issue, the output displays information to help you troubleshoot the configuration.
    The output results vary based on several factors related to the authentication type that you are testing as well as the type of issue. For example, RADIUS and TACACS+ use different underlying libraries, so the same issue that exists for both of these types will produce different errors. Also, if there is a network problem, such as using an incorrect port or IP address in the authentication server profile, the output error is not specific. This is because the test command cannot perform the initial handshake between the firewall and the authentication server to determine details about the issue.

Related Documentation