AskF5 Knowledge Base

Applies To:

Show Versions Show Versions
Manual Chapter: Troubleshooting AAA Configurations
Manual Chapter
Table of Contents   |   << Previous Chapter

List of troubleshooting tips for authentication

Refer to these tables for all AAA server authentication troubleshooting tips.

RADIUS authentication and accounting troubleshooting tips

You may run into problems with RADIUS authentication and accounting in some instances. Follow these tips to try to resolve any issues you may encounter.

RADIUS authentication and accounting access policy action troubleshooting

Possible error messages Possible explanations and corrective actions
Authentication failed due to timeout
  • Check that the Access Policy Manager is configured as a client on the RADIUS server.
  • You may have encountered a general network connection problem.
Authentication failed due to RADIUS access reject
  • Check that the shared secret on the RADIUS server is valid.
  • Check that the user credentials are entered correctly.

Additional troubleshooting tips for RADIUS authentication and accounting

You should Steps to take
Check to see if your access policy is attempting to perform authentication
  • Refer to the message boxes in your access policy to display information on what the access policy is attempting to do.
  • Refer to/var/log/apm to view authentication and accounting attempts by the access policy.
Note: Make sure that your log level is set to the appropriate level. The default log level is notice
Check the RADIUS Server configuration
  • Confirm that the Access Policy Manager is registered as a RADIUS client. Since the Access Policy Manager makes requests from the self IP address to the RADIUS server for authentication requests, the address of the self-IP address should be registered as a RADIUS client.
  • Check the RADIUS logs and check for any errors.
Confirm network connectivity
  • Access the Access Policy Manager through the command line interface and check your connectivity by pinging the RADIUS server using the host entry in the AAA Server box.
  • Confirm that the RADIUS port 1812 is not blocked between the Access Policy Manager and the RADIUS server.
Capture a TCP dump
  • Take a TCP dump from the Access Policy Manager when authentication attempts are made. For example, %TCP dump-i 1.1 -s /tmp/dump. You must first determine what interface the self IP address is on. These TCP dumps indicate activities between the Access Policy Manager and the authentication server.
  • Run the authentication test. After authentication fails, stop the TCP dump, download the TCP dump records to a client system, and use an analyzer to troubleshoot.
Important: If you decide to escalate the issue to customer support, you must provide a capture of the TCP dump when you encounter authentication issues that you cannot otherwise resolve on your own.

LDAP authentication and query troubleshooting tips

You may run into problems with LDAP authentication and query in some instances. Follow these tips to try to resolve any issues you may encounter.

LDAP auth and query troubleshooting

Possible error messages Possible explanations and corrective actions
LDAP auth failed
  • User name or password does not match records.
  • No LDAP server is associated with the LDAP Auth agent.
  • The target LDAP server host/port information associated with the LDAP Auth agent may be invalid.
  • The target LDAP service may be not accessible.
LDAP query failed
  • The specified administrative credential is incorrect.
  • If no administrative credential is specified, then the user name or password does not match.
  • No LDAP server is associated with the LDAP query agent.
  • The target LDAP server host/port information associated with the LDAP query agent may be invalid.
  • The target LDAP service may be not accessible.
  • If the LDAP query is successfully, then check whether the LDAP query Rules are properly configured.

Additional troubleshooting tips for LDAP authentication

You should Steps to take
Check that your access policy is attempting to perform authentication
  • Refer to the message boxes in your access policy to display information on what the access policy is attempting to do.
  • Refer to/var/log/apm to view authentication attempts by the access policy.
Note: Make sure that your log level is set to the appropriate level. The default log level is notice
Confirm network connectivity
  • Access the Access Policy Manager through the command line interface and check your connectivity by pinging the LDAP server using the host entry in the AAA Server box.
  • Confirm that the LDAP port 389 is not blocked between the Access Policy Manager and the LDAP server.
Confirm network connectivity
  • Access the Access Policy Manager through the command line interface and check your connectivity by pinging the LDAP server using the host entry in the AAA Server box.
  • Confirm that the LDAP port 389 is not blocked between the Access Policy Manager and the LDAP server.
Check the LDAP server configuration
  • Verify that the administrative credentials are correct on the LDAP server, and that they match the credentials used by the AAA entry.
Note: A good test is to use full administrative credentials with all rights. If that works, you can use less powerful credentials for verification.
Capture a TCP dump
  • Take a TCP dump from the Access Policy Manager when authentication attempts are made. For example, %tcpdump-i 1.1 -s /tmp/dump. You must first determine what interface the self-IP is on. These TCP dumps indicate activities between the Access Policy Manager and the authentication server.
  • Run the authentication test. After authentication fails, stop the TCP dump, and download the TCP dump to a client system, and use an analyzer to troubleshoot.
Important: If you decide to escalate the issue to customer support, you must provide a capture of the TCP dump when you encounter authentication issues that you cannot otherwise resolve on your own.

Active Directory authentication and query troubleshooting tips

You may run into problems with Active Directory authentication and query processes in some instances. Follow these tips to try to resolve any issues you may encounter.

Active Directory auth authentication and query troubleshooting

Possible error messages Possible explanations and corrective actions
Domain controller reply did not match expectations.(-1765328237)

This error occurs when the principal/domain name does not match the domain controller server's database. For example, if the actual domain is SALES.MYCOMPANY.COM, and the administrator specifies STRESS as the domain, then the krb5.conf file displays the following: default_realm = SALES SALES = { domain controller = (domain controller server) admin = (admin server)

So, when the administrator tries to authenticate with useraccount@SALES, the krb5 library notices that the principal name SALES differs from the actual one in the server database.

Additional troubleshooting tips for Active Directory authentication

You should Steps to take
Check that your access policy is attempting to perform authentication
  • Refer to the message boxes in your access policy to display information on what the access policy is attempting to do.
  • Refer to /var/log/apm to view authentication attempts by the access policy.
Note: Make sure that your log level is set to the appropriate level. The default log level is notice.
Confirm network connectivity
  • Access the Access Policy Manager through the command line interface and check your connectivity by pinging the Active Directory server using the host entry in the AAA Server box.
  • Confirm that the Active Directory port 88 or 389 is not blocked between the Access Policy Manager, and the Active Directory server.
Check the Active Directory server configuration
  • Confirm that the Active Directory server name can be resolved to the correct IP address, and that the reverse name resolution (IP address to name) is also possible.
  • Confirm that the Active Directory server and the Access Policy Manager have the correct time setting configured.
Note: Since Active Directory is sensitive to time settings, use NTP to set the correct time on the Access Policy Manager.
Capture a TCP dump
  • Take a TCP dump from the Access Policy Manager when authentication attempts are made. For example, %tcpdump-i 1.1 -s /tmp/dump. You must first determine what interface the self-IP is on. These TCP dumps indicate activities between the Access Policy Manager and the authentication server.
  • Run the authentication test. After authentication fails, stop the TCP dump, and download the TCP dump to a client system, and use an analyzer to troubleshoot.
Important: If you decide to escalate the issue to customer support, you must provide a capture of the TCP dump when you encounter authentication issues that you cannot otherwise resolve on your own.

RSA SecurID on Windows using RADIUS configuration troubleshooting tips

You may run into problems with RSA SecurID on Windows using RADIUS configuration. Follow these tips to try to resolve any issues you may encounter.

RSA SecurID on Windows using RADIUS configuration troubleshooting

Possible error messages Possible explanations and corrective actions
The RADIUS server is inactive Even if the RADIUS server has been started from the SecurID options window on the Windows SecurID server, the server may not be active. In the Windows Services Manager, make sure that the server is set to start each time the server boots, and is currently running. RSA SecurID authentication using RADIUS takes place on a different port than the native securid ID.
The SecurID is configured incorrectly for RADIUS authentication While using RSA SecurID over RADIUS, the SecurID server is a client of itself. The RADIUS service functions as a standalone process, and if the SecurID server is not set up as a client of itself, it rejects the Access Policy Manager authentication request and does not store anything in the logs.
No response from the RSA SecurID server Check that the RSA SecurID is configured properly. To facilitate communication between the Access Policy Manager and the RSA SecurID, you must add an Agent Host recordto the RSA Authentication Manager database. The Agent Host record identifies the Access Policy Manager within its database, and contains information about communication and encryption. To create the Agent Host record, you need the following information.
  • Host name
  • IP addresses for all network interfaces
  • RADIUS secret (Click Assign/Change Encryption Key to enter the secret. This RADIUS secret must match the corresponding RADIUS secret on the Access Policy Manager.)
When adding the Agent Host record, you should configure the Access Policy Manager as a communication server. This setting is used by the RSA Authentication Manager to determine how communication with the Access Policy Manager will occur.

OCSP authentication troubleshooting tips

You may run into problems with OCSP authentication in some instances. Follow these tips to try to resolve any issues you may encounter.

OCSP auth and query troubleshooting

Possible error messages Possible explanations and corrective actions
No AAA server associated with the agent Make sure that a valid OCSP responder configuration is assigned to the OCSP agent in the access policy.
User/Issuer certificate not found for the session The user/issuer certificate session variables are missing. Make sure that either the Client Cert Inspection agent or On-Demand Cert Auth agent is configured in the access policy (or use a variable assignment agent to create them).
Failure to connect to OCSP responder (BIO callback failure) Make sure that the OCSP responder is up and running and reachable from the BIG-IP.
Error parsing the OCSP response (invalid response) Indicates that no valid basic response was found in the OCSP response. Check the configuration on the remote OCSP responder.
Error signing OCSP request Make sure that the signing certs/key are valid.
No valid nonce found in the response This happens when nonce setting is enabled on the OCSP responder configuration and the received OCSP response doesn't contain a valid nonce. Check the remote OCSP responder connection and setting.
Nonce verification failed This happens when the nonce received in the response doesn't match with the nonce sent in the request. Make sure that the connection from BIG-IP to OCSP responder is secure.
Failure to verify response Make sure that the OCSP responder has a valid CA and verify other certificate settings.
Status times invalid Make sure that the BIG-IP and OCSP responder clocks are in sync.
OCSP response - Cert with serial number 'x' has been revoked Indicates that the status of the user certificate is revoked.
Failed to add cert to OCSP request Indicates a failure in creating the OCSP request; either the supplied user/issuer certificates are not valid or the CertID digest configured in the OCSP responder setting is not valid.

CRLDP authentication troubleshooting tips

You may run into problems with CRLDP authentication in some instances. Follow these tips to try to resolve any issues you may encounter.

CRLDP auth and query troubleshooting

Possible error messages Possible explanations and corrective actions
No AAA server associated with the agent Make sure that a valid CRLDP responder configuration is assigned to the CRLDP agent in the access policy.
User/Issuer certificate not found for the session The user/issuer certificate session variables are missing. Make sure that either the Client Cert Inspection agent or On-Demand Cert Auth agent is configured in the access policy (or use a variable assignment agent to create them).
Failure to connect to CRLDP server Make sure that the CRLDP server is up and running and reachable from the BIG-IP.
No LDAP URL found in the DP list Indicates that no valid CRL DP is configured on the LDAP server. Make sure that the LDAP server used in the CRLDP server configuration has valid CRL DPs configured.
CRLDP response - Cert with serial number 'x' has been revoked Indicates that the status of the user certificate is revoked.

TACACS+ authentication troubleshooting tips

You may run into problems with TACACS+ authentication in some instances. Follow these tips to try to resolve any issues you may encounter.

TACACS+ auth and query troubleshooting

Possible error messages Possible explanations and corrective actions
No AAA server associated with the agent Make sure that a valid TACACS+ server configuration is assigned to the TACACS+ auth/acct agent in the access policy.
Failure to connect to TACACS+ server Make sure that the TACACS+ server is up and running and reachable from the BIG-IP.
Login incorrect Supplied user credentials are not valid.
Invalid reply content, incorrect key Make sure that the shared encryption key configured on the TACACS+ server configuration matches with the key on the remote TACACS+ server.
Invalid AUTHEN/START packet from server Indicates either the wrong keys or that the authentication action (LOGIN) is not supported on the server.
Uacceptable authen method Indicates that the TACACS+ server doesn't support the authentication. Check the settings on the server.
Unexpected failure return/llegal status value from authentication function/Permission error Caused by internal errors on the remote TACACS+ server. Check the logs on the remote TACACS+ server and also the configuration.
Table of Contents   |   << Previous Chapter

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)