Troubleshoot Authentication Issues

When users fail to authenticate to a Palo Alto Networks firewall or Panorama, or the Authentication process takes longer than expected, analyzing authentication-related information can help you determine whether the failure or delay resulted from:
  • User behavior—For example, users are locked out after entering the wrong credentials or a high volume of users are simultaneously attempting access.
  • System or network issues—For example, an authentication server is inaccessible.
  • Configuration issues—For example, the Allow List of an authentication profile doesn’t have all the users it should have.
The following CLI commands display information that can help you troubleshoot these issues:
Task
Command
Display the number of locked user accounts associated with the authentication profile (auth-profile), authentication sequence (is-seq), or virtual system (vsys).
To unlock users, use the following operational command:
> request
authentication [unlock-admin | unlock-user]
PA-200> show authentication locked-users 
   { 
   vsys <value> | 
   auth-profile <value> | 
   is-seq 
      {yes | no}  
      {auth-profile | vsys} <value> 
   } 
Use the debug authentication command to troubleshoot authentication events.
Use the show options to display authentication request statistics and the current debugging level:
  • show displays the current debugging level for the authentication service (authd).
  • show-active-requests displays the number of active checks for authentication requests, allow lists, locked user accounts, and Multi-Factor Authentication (MFA) requests.
  • show-pending-requests displays the number of pending checks for authentication requests, allow lists, locked user accounts, and MFA requests.
  • connection-show displays authentication request and response statistics for all authentication servers or for a specific protocol type.
Use the connection-debug options to enable or disable authentication debugging:
  • Use the on option to enable or the off option to disable debugging for authd.
  • Use the connection-debug-on option to enable or the connection-debug-off option to disable debugging for all authentication servers or for a specific protocol type.
PA-200> debug authentication 
   { 
   on {debug | dump | error | info | warn} | 
   show | 
   show-active-requests | 
   show-pending-requests |     
   connection-show | 
      { 
      connection-id | 
      protocol-type 
         { 
         Kerberos connection-id <value> | 
         LDAP connection-id <value> | 
         RADIUS connection-id <value> | 
         TACACS+ connection-id <value> | 
         } 
   connection-debug-on | 
      { 
      connection-id | 
      debug-prefix | 
      protocol-type 
         { 
         Kerberos connection-id <value> | 
         LDAP connection-id <value> | 
         RADIUS connection-id <value> | 
         TACACS+ connection-id <value> | 
         } 
   connection-debug-off | 
      { 
      connection-id | 
      protocol-type 
         { 
         Kerberos connection-id <value> | 
         LDAP connection-id <value> | 
         RADIUS connection-id <value> | 
         TACACS+ connection-id <value> | 
         } 
   connection-debug-on 
   } 
Test the connection and validity of the certificate profile.
PA-200> test authentication authentication-profile auth-profile username <username>password <password>
Troubleshoot a specific authentication using the Authentication ID displayed in MonitorLogsAuthentication.
PA-200> grep <Authentication ID>

Related Documentation