Test a RADIUS Authentication Profile
The following example shows how to test a RADIUS profile named RADIUS-Profile for a user named User2-RADIUS and how to troubleshoot error conditions that arise. For details on using the test authentication command, see Run the Test Authentication Command.
RADIUS Authentication Profile Test Example
On the PAN-OS firewall, Configure a RADIUS Server Profile and Configure an authentication profile. In the authentication profile, you select the new RADIUS server profile in the Server Profile drop-down.
Using a terminal emulation application, such as PuTTY, launch an SSH session to the firewall.
(Firewalls with virtual systems configured) Define the target virtual system that the test command will access. This is required on firewalls with multiple virtual systems (vsys) configured, so the test authentication command can locate the user (Global Protect or Captive Portal, for example) in the correct vsys. To define the target vsys: admin@PA-3060> set system setting target-vsys < vsys-name > For example, if the user is defined in vsys2, run the following command: admin@PA-3060> set system setting target-vsys vsys2 The target-vsys command is per-login session, so the system clears the option when you log off.
Run the following CLI command: admin@PA-3060> test authentication authentication-profile RADIUS-Profile username User2-RADIUS password
When prompted, enter the password for the User2-RADIUS account. The following output shows that the test failed: Do allow list check before sending out authentication request... name "User2-RADIUS" is in group "all" Authentication to RADIUS server at 10.5.104.99:1812 for user "User2-RADIUS" Egress: 10.5.104.98 Authentication type: CHAP Now send request to remote server ... RADIUS error: Invalid RADIUS response received - Bad MD5 Authentication failed against RADIUS server at 10.5.104.99:1812 for user "User2-RADIUS" In this case, the output shows Bad MD5, which indicates that there may be an issue with the secret defined in the RADIUS server profile.
To resolve this issue, modify the RADIUS server profile and ensure that the secret defined on the RADIUS server matches the secret in the server profile. On the firewall, select Device > Server Profiles > RADIUS and modify the profile named RADIUS-Profile. In the Servers section, locate the RADIUS server and modify the Secret field. Type in the correct secret and then retype to confirm. Click OK to save the change.
Run the test command again. The following output shows that the test is successful: Do allow list check before sending out authentication request... name "User2-RADIUS" is in group "all" Authentication to RADIUS server at 10.5.104.99:1812 for user "User2-RADIUS" Egress: 10.5.104.98 Authentication type: CHAP Now send request to remote server ... RADIUS CHAP auth request is NOT accepted, try PAP next Authentication type: PAP Now send request to remote server ... Authentication succeeded against RADIUS server at 10.5.104.99:1812 for user "User2-RADIUS" Authentication succeeded for user "User2-RADIUS"

Related Documentation