Description
This article describes instructions for troubleshooting when a single sign-on is not working properly in a Palo Alto firewall integration.
Scope
Version: 8.x
Solution
1. While the client is connected, navigate to Hosts > Host View in the Administration UI and verify the User ID is reflected as the logged-on user.
2. If logged on User ID is displayed, right-click on host record and select Policy Details.
3. Verify the correct Network Access Policy matches. This is required for versions 8.5 and above. For details, see the related KB article below.
4. If the policy is correct, check Palo Alto and verify User ID and IP address are listed.
5. If the User ID is not present in Palo Alto, verify FortiNAC is sending the information. Log into the appliance CLI as root.
6. Enable Palo Alto integration to debug. and execute the following command:
CampusMgrDebug -name OutboundSingleSignOn true
If this option is not available use
nacdebug -name SSOManager true
7. Tail output.master log to a separate file. Type
tail -F /bsc/logs/output.master > /bsc/logs/PaloAltoSSOTest.txt
8. Have the user logoff and logon to the network.
9. Type Ctrl-C to stop tail.
10. Check /bsc/logs/PaloAltoSSOTest.txt to verify the IP/Usernames have been sent to Palo Alto.
Example output:
PaloAlto UserIDMessage( 10.34.24.153:jsmith )
11. Disable debug. Execute the following command:
CampusMgrDebug -name OutboundSingleSignOn false
or
nacdebug -name SSOManager false
12. Download PaloAltoSSOTest.txt from the appliance using WinSCP or a similar application using SCP protocol.
13. Open a support ticket and provide the following information:
- Problem description
- Results of troubleshooting steps listed above
- IP address and user ID of the affected client(s)
- Date and time of logon during the test
- Resulting log file (PaloAltoSSOTest.txt)
Related Articles
Technical Note: User ID information not sent to Palo Alto using logical networks
Technical Note: FortiGate and Palo Alto Single Sign-On stop working after upgrade
