Test the Authentication Configuration
Table of Contents
PAN.OS 11.1 & Later
Expand all | Collapse all
-
- Set Commands Introduced in PAN-OS 11.1
- Set Commands Removed in PAN-OS 11.1
- Show Commands Introduced in PAN-OS 11.1
- Set Commands Introduced in PAN-OS 11.2
- Set Commands Changed in PAN-OS 11.2
- Set Commands Removed in PAN-OS 11.2
- Show Commands Introduced in PAN-OS 11.2
- Show Commands Removed in PAN-OS 11.2
Test the Authentication Configuration
Use the test authentication command
to determine if your firewall or Panorama management server can
communicate with a back-end authentication server and if the authentication
request was successful. You can additionally test authentication profiles
used for GlobalProtect and Captive Portal authentication. You can
perform authentication tests on the candidate configuration, so
that you know the configuration is correct before committing.
Connectivity
testing is supported for local database authentication and for external
authentication servers that use multi-factor authentication (MFA), RADIUS,
TACACS+, LDAP, Kerberos, or SAML.
- (Vsys-specific authentication profiles only) Specify which virtual system contains the authentication profile you want to test. This is only necessary if you are testing an authentication profile that is specific to a single virtual system (that is, you do not need to do this if the authentication profile is shared).
admin@PA-3060> set system setting target-vsys <vsys-name>
For example, to test an authentication profile in vsys2 you would enter the following command:admin@PA-3060> set system setting target-vsys vsys2
The set system setting target-vsys command is not persistent across sessions.Test an authentication profile by entering the following command:admin@PA-3060> test authentication authentication-profile <authentication-profile-name> username <username> password
You will be prompted for the password associated with the user account.Profile names are case-sensitive. Also, if the authentication profile has a username modifier defined, you must enter it with the username. For example, if the username modifier is %USERINPUT%@%USERDOMAIN%, for a user named bzobrist in domain acme.com, you would need to enter bzobrist@acme.com as the username.For example, run the following command to test connectivity with a Kerberos server defined in an authentication profile named Corp, using the login for the LDAP user credentials for user bzobrist:admin@PA-3060> test authentication authentication-profile Corp username bzobrist password Enter password : Target vsys is not specified, user "bzobrist" is assumed to be configured with a shared auth profile. Do allow list check before sending out authentication request... name "bzobrist" is in group "all" Authentication to KERBEROS server at '10.1.2.10' for user 'bzobrist' Realm: 'ACME.LOCAL' Egress: 10.55.0.21 KERBEROS configuration file is created KERBEROS authcontext is created. Now authenticating ... Kerberos principal is created Sending authentication request to KDC... Authentication succeeded! Authentication succeeded for user "bzobrist"