Run the Test Authentication Command
On the PAN-OS firewall or Panorama server,
Configure an authentication profile.
You do not need to commit the authentication or server profile configuration prior to testing.
Using a terminal emulation application, such as PuTTY, launch an SSH session to the firewall.
(Firewalls with virtual systems configured) Define the target virtual system that the test command will access.
This is required on firewalls with multiple virtual systems (vsys) configured, so the test authentication command can locate the user (Global Protect or Captive Portal, for example) in the correct vsys.
To define the target vsys:
set system setting target-vsys <vsys-name>
For example, if the user is defined in vsys2, run the following command:
set system setting target-vsys vsys2
command is per-login session, so the system clears the option when you log off.
Test an authentication profile by entering the following command:
test authentication authentication-profile <authentication-profile-name> username <username> password
For example, to test an authentication profile named my-profile for a user named bsimpson, run the following command:
test authentication authentication-profile my-profile username bsimpson password
When entering authentication profile names and server profile names in the test command, the names are case sensitive. Also, if the authentication profile has a username modifier defined, you must enter the modifier with the username. For example, if you add the username modifier %USERINPUT%@%USERDOMAIN% for a user named bsimpson and the domain name is mydomain.com, enter firstname.lastname@example.org as the username. This will ensure that the correct credentials are sent to the authentication server. In this example, mydomain.com is the domain that you define in the User Domain field in the Authentication profile.
View the output of the test results.
If the authentication profile is configured correctly, the output displays
. If there is a configuration issue, the output displays information to help you troubleshoot the configuration.
For example use cases on the supported authentication profile types, see
Test Authentication Server Connectivity.
The output results vary based on several factors related to the authentication type that you are testing as well as the type of issue. For example, RADIUS and TACACS+ use different underlying libraries, so the same issue that exists for both of these types will produce different errors. Also, if there is a network problem, such as using an incorrect port or IP address in the authentication server profile, the output error is not specific. This is because the test command cannot perform the initial handshake between the firewall and the authentication server to determine details about the issue.