AGENT ERROR NO SECURITY STRINGS

From Swivel Knowledgebase
Revision as of 12:52, 11 May 2017 by Admin (talk | contribs) (1 revision imported)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

Logo.gif


Overview

The error AGENT ERROR NO SECURITY STRINGS can be seen in a number of different circumstances, this document covers how to troubleshoot the issues involved.


Prerequisites

Swivel 3.x


Symptoms

RADIUS: <0> Access-Request(1) LEN=192.168.0.1:1001 Access Request by username Failed: AccessRejectException: AGENT_ERROR_NO_SECURITY_STRINGS

and

Login failed for user:username, error: The user does not have any security strings suitable for the authentication.

Repeated authentication attempts may cause accounts to become locked.


Solution

The user is attempting a dual channel authentication, but the user has not been sent any security strings. This can be because:

  • A single channel security string is being requested from one Swivel instance, but the authentications are being made against another Swivel instance. Since the Swivel instance carrying out an authentication has not received any single channel session starts it produces the AGENT_ERROR_NO_SECURITY_STRINGS message. Enable Session Sharing or Swivel RADIUS Proxy.
  • No transport has been defined for the security strings to be sent check the settings on the Administration console under Transport/General.
  • The destination attribute for the Transport has not been set or is incorrect, check the settings on the Administration console under Transport/General.
  • A user is attempting a single channel authentication, but the single channel request has not reached Swivel, look for session start messages in the Swivel logs.
  • The access device is adding the domain name to the authentication in the format domain\username, check the logs to compare the authentication username against session start username requests.
  • A user is attempting a single channel authentication, but their account is locked, disabled or deleted. They will get a dummy security string, but that is not valid for authentication. Enable the account if appropriate.
  • The user is attempting a mobile client authentication but the OTC is being entered without the nn or ,nn at the end of the OTC, whereby nn is the number given with the security string.
  • The user is attempting a Token authentication but entering the wrong number of digits, attempting to incorrectly use a PIN, or has not been provisioned with a token.
  • Swivel 3.8.4256 has an error whereby On demand authentication security strings do not match those in the View Security strings.