Test a Local Database Authentication Profile
The following example shows how to test a Local Database authentication profile named LocalDB for a user named User1-LocalDB and how to troubleshoot error conditions that arise. For details on using the test authentication command, see Run the Test Authentication Command.
Local Database Authentication Profile Test Example
On the PAN-OS firewall, ensure that you have an administrator configured with the type Local Database. For information on administrator accounts, refer to Manage Firewall Administrators.
Using a terminal emulation application, such as PuTTY, launch an SSH session to the firewall.
(Firewalls with virtual systems configured) Define the target virtual system that the test command will access. This is required on firewalls with multiple virtual systems (vsys) configured, so the test authentication command can locate the user (Global Protect or Captive Portal, for example) in the correct vsys. To define the target vsys: admin@PA-3060> set system setting target-vsys <vsys-name> For example, if the user is defined in vsys2, run the following command: admin@PA-3060> set system setting target-vsys vsys2 The target-vsys command is per-login session, so the system clears the option when you log off.
Run the following CLI command: admin@PA-3060> test authentication authentication-profile LocalDB-Profile username User1-LocalDB password
When prompted, enter the password for the User1-LocalDB account. The following output shows that the test failed: Allow list check error: Do allow list check before sending out authentication request... User User1-LocalDB is not allowed with authentication profile LocalDB-Profile In this case, the last line of the output shows that the user is not allowed, which indicates a configuration problem in the authentication profile.
To resolve this issue, modify the authentication profile and add the user to the Allow List. On the firewall, select Device > Authentication Profile and modify the profile named LocalDB-Profile. Click the Advanced tab and add User1-LocalDB to the Allow List. Click OK to save the change.
Run the test command again. The following output shows that the test is successful: Do allow list check before sending out authentication request... name "User1-LocalDB" has an exact match in allow list Authentication by Local User Database for user "User1-LocalDB" Authentication succeeded for Local User Database user "User1-LocalDB"

Related Documentation