Test the Authentication Configuration
Use the test authentication command to determine if your firewall or Panorama management server can communicate with a back-end authentication server and if the authentication request was successful. You can additionally test authentication profiles used for GlobalProtect and Captive Portal authentication. You can perform authentication tests on the candidate configuration, so that you know the configuration is correct before committing.
Authentication server connectivity testing is supported for local database, RADIUS, TACACS+, LDAP, and Kerberos authentication.
Test Authentication Server Connectivity
(Vsys-specific authentication profiles only) Specify which virtual system (vsys) contains the authentication profile you want to test. This is only necessary if you are testing an authentication profile that is specific to a single vsys (that is, you do not need to do this if the authentication profile is shared). admin@PA-3060> set system setting target-vsys <vsys-name> For example, to test an authentication profile in vsys2 you would enter the following command: admin@PA-3060> set system setting target-vsys vsys2 The set system setting target-vsys command is not persistent across sessions.
Test an authentication profile by entering the following command: admin@PA-3060> test authentication authentication-profile <authentication-profile-name> username <username> password You will be prompted for the password associated with the user account. Profile names are case-sensitive. Also, if the authentication profile has a username modifier defined, you must enter it with the username. For example, if the username modifier is %USERINPUT%@%USERDOMAIN%, for a user named bzobrist in domain acme.com, you would need to enter bzobrist@acme.com as the username. For example, run the following command to test connectivity with a Kerberos server defined in an authentication profile named Corp, using the login for the LDAP user credentials for user bzobrist: admin@PA-3060> test authentication authentication-profile Corp username bzobrist password Enter password : Target vsys is not specified, user "bzobrist" is assumed to be configured with a shared auth profile. Do allow list check before sending out authentication request... name "bzobrist" is in group "all" Authentication to KERBEROS server at '10.1.2.10' for user 'bzobrist' Realm: 'ACME.LOCAL' Egress: 10.55.0.21 KERBEROS configuration file is created KERBEROS authcontext is created. Now authenticating ... Kerberos principal is created Sending authentication request to KDC... Authentication succeeded! Authentication succeeded for user "bzobrist"

Related Documentation