>
    Troubleshoot Authentication Issues
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. Authentication
    4. Troubleshoot Authentication Issues
    Download PDF

    Troubleshoot Authentication Issues

    Table of Contents

    Troubleshoot Authentication Issues

    When users fail to authenticate to a Palo Alto Networks firewall or Panorama, or the Authentication process takes longer than expected, analyzing authentication-related information can help you determine whether the failure or delay resulted from:
    • User behavior—For example, users are locked out after entering the wrong credentials or a high volume of users are simultaneously attempting access.
    • System or network issues—For example, an authentication server is inaccessible.
    • Configuration issues—For example, the Allow List of an authentication profile doesn’t have all the users it should have.
    The following CLI commands display information that can help you troubleshoot these issues:
    Task
    Command
    Display the number of locked user accounts associated with the authentication profile (auth-profile), authentication sequence (is-seq), or virtual system (vsys).
    To unlock users, use the following operational command:
    > request
authentication [unlock-admin | unlock-user]
    PA-220> show authentication locked-users 
   { 
   vsys <value> | 
   auth-profile <value> | 
   is-seq 
      {yes | no}  
      {auth-profile | vsys} <value> 
   }
    Use the debug authentication command to troubleshoot authentication events.
    Use the show options to display authentication request statistics and the current debugging level:
    • show displays the current debugging level for the authentication service (authd).
    • show-active-requests displays the number of active checks for authentication requests, allow lists, locked user accounts, and Multi-Factor Authentication (MFA) requests.
    • show-pending-requests displays the number of pending checks for authentication requests, allow lists, locked user accounts, and MFA requests.
    • connection-show displays authentication request and response statistics for all authentication servers or for a specific protocol type.
    Use the connection-debug options to enable or disable authentication debugging:
    • Use the on option to enable or the off option to disable debugging for authd.
    • Use the connection-debug-on option to enable or the connection-debug-off option to disable debugging for all authentication servers or for a specific protocol type.
    PA-220> debug authentication 
   { 
   on {debug | dump | error | info | warn} | 
   show | 
   show-active-requests | 
   show-pending-requests |     
   connection-show | 
      { 
      connection-id | 
      protocol-type 
         { 
         Kerberos connection-id <value> | 
         LDAP connection-id <value> | 
         RADIUS connection-id <value> | 
         TACACS+ connection-id <value> | 
         } 
   connection-debug-on | 
      { 
      connection-id | 
      debug-prefix | 
      protocol-type 
         { 
         Kerberos connection-id <value> | 
         LDAP connection-id <value> | 
         RADIUS connection-id <value> | 
         TACACS+ connection-id <value> | 
         } 
   connection-debug-off | 
      { 
      connection-id | 
      protocol-type 
         { 
         Kerberos connection-id <value> | 
         LDAP connection-id <value> | 
         RADIUS connection-id <value> | 
         TACACS+ connection-id <value> | 
         } 
   connection-debug-on 
   }
    Test the connection and validity of the certificate profile.
    PA-220> test authentication authentication-profile auth-profile username <username>password <password>
    Troubleshoot a specific authentication using the Authentication ID displayed in MonitorLogsAuthentication.
    PA-220> grep <Authentication ID>

    © 2024 Palo Alto Networks, Inc. All rights reserved.