VPN login troubleshooting
Contents
- 1 Overview
- 2 Prerequisites
- 3 Trouble Shooting Steps
- 3.1 Issue affecting all users
- 3.2 RADIUS or AGENT requests
- 3.3 RADIUS or AGENT Messages
- 3.4 RADIUS or Agent other messages
- 3.5 Username check
- 3.6 RADIUS or AGENT Failed messages
- 3.7 Swivel password reset
- 3.8 PIN extraction
- 3.9 Some users can login
- 3.10 Swivel server issue
- 3.11 VPN Issue
- 3.12 VPN server issue checks
- 3.13 AD authentication failing
- 3.14 RADIUS ACCEPT or AGENT Success messages
- 4 Support escalation
- 5 24 hour support information
- 6 Additional Useful Pages
Overview
This guide outlines how to troubleshhot a VPN login, it assumes that Swivel and the VPN have been correctly configured and that primary login is by LDAP to Active Directory and Swivel is the Secondary Authentication by RADIUS or Swivel Agent-XML using the graphical TURing login.
Authentication Process Overview
The user enters a username and Password and from the image generates a One Time Code OTC. The AD Username and Password is checked first, and only if that is successful, is the Swivel OTC checked. If the AD password fails then the Swivel will not receive any authentication requests. However a session request for a TURing image may still be generated as that is called outside of the authentication process.
Prerequisites
Swivel 3.x as a secondary authentication using RADIUS or Swivel Agent-XML
VPN using LDAP form Primary authentication against AD
Trouble Shooting Steps
Are some users able to login ok?
Issue affecting all users
Is the graphical TURing image available?
RADIUS or AGENT requests
Do the Swivel logs show any RADIUS or AGENT requests (Access Accept, Reject, Login successful or failed, etc)
RADIUS or AGENT Messages
Do the Swivel logs show any RADIUS Access Accept or AGENT Login successful for user messages
Yes RADIUS ACCEPT or AGENT Success messages
No RADIUS or Agent other messages
RADIUS or Agent other messages
Do the Swivel logs show any RADIUS Access Reject or AGENT Login failed for user messages
Yes RADIUS or AGENT Failed messages
Username check
Does the username entered exist and match that of the session request and the authentication message
No wait for a user sync or perform one manually
Yes PIN extraction (return)
RADIUS or AGENT Failed messages
Is the Swivel account locked?
Swivel password reset
Has the Swivel Password been reset to a blank (left empty value)
Yes PIN extraction
PIN extraction
Does the user know how to login and ectract their PIN to enter a OTC
Yes Username check
Some users can login
Is the service affecting only users on one Swivel server on Swivel instance in an A/A or A/P pair
No VPN Issue
Swivel server issue
Do the status pages of each Swivel server show the same number of users for each category?
Yes VPN Issue
No MySQL Appliance Database Synchronisation
VPN Issue
Is the service affecting only users on one VPN server on a VPN instance in an A/A or A/P pair
VPN server issue checks
Check the VPN logs for errors
If a VPN HA cluster ensure that they are correctly configured
AD authentication failing
The authentication process is stopping before it reaches the Swivel server.
Check the AD account is not locked
Reset the AD password
RADIUS ACCEPT or AGENT Success messages
This shows that the Swivel is allowing the login and is functioing as expected. If further failure occurs it may be that the RADIUS is not being received by the VPN or that the next step on the VPN is not configured such as their allowable resources.
Support escalation
End users: Contact their company
Company support staff: contact their reseller
Reseller: contact their distributor or Swivel
24 hour support information
Only for Priority One (P1) situations where large numbers of users cannot authenticate.
