Difference between revisions of "VPN login troubleshooting"

From Swivel Knowledgebase
Jump to: navigation, search
 
m (1 revision imported)
 
(No difference)

Latest revision as of 12:52, 11 May 2017


Overview

This guide outlines how to troubleshhot a VPN login, it assumes that Swivel and the VPN have been correctly configured and that primary login is by LDAP to Active Directory and Swivel is the Secondary Authentication by RADIUS or Swivel Agent-XML using the graphical TURing login.


Authentication Process Overview

The user enters a username and Password and from the image generates a One Time Code OTC. The AD Username and Password is checked first, and only if that is successful, is the Swivel OTC checked. If the AD password fails then the Swivel will not receive any authentication requests. However a session request for a TURing image may still be generated as that is called outside of the authentication process.


Prerequisites

Swivel 3.x as a secondary authentication using RADIUS or Swivel Agent-XML

VPN using LDAP form Primary authentication against AD


Trouble Shooting Steps

Are some users able to login ok?

Yes Some users can login

No Issue affecting all users


Issue affecting all users

Is the graphical TURing image available?

Yes RADIUS or AGENT requests

No Turing Image absent


RADIUS or AGENT requests

Do the Swivel logs show any RADIUS or AGENT requests (Access Accept, Reject, Login successful or failed, etc)

Yes RADIUS or AGENT messages

No AD authentication failing


RADIUS or AGENT Messages

Do the Swivel logs show any RADIUS Access Accept or AGENT Login successful for user messages

Yes RADIUS ACCEPT or AGENT Success messages

No RADIUS or Agent other messages


RADIUS or Agent other messages

Do the Swivel logs show any RADIUS Access Reject or AGENT Login failed for user messages

Yes RADIUS or AGENT Failed messages

No Error Messages


Username check

Does the username entered exist and match that of the session request and the authentication message

No wait for a user sync or perform one manually

Yes PIN extraction (return)


RADIUS or AGENT Failed messages

Is the Swivel account locked?

Yes Unlock an Account

No Swivel password reset


Swivel password reset

Has the Swivel Password been reset to a blank (left empty value)

Yes PIN extraction

No Reset a Users Password


PIN extraction

Does the user know how to login and ectract their PIN to enter a OTC

No PINsafe User Guide

Yes Username check


Some users can login

Is the service affecting only users on one Swivel server on Swivel instance in an A/A or A/P pair

Yes Swivel server issue

No VPN Issue


Swivel server issue

Do the status pages of each Swivel server show the same number of users for each category?

Yes VPN Issue

No MySQL Appliance Database Synchronisation


VPN Issue

Is the service affecting only users on one VPN server on a VPN instance in an A/A or A/P pair

Yes VPN server issue checks

No RADIUS or AGENT requests


VPN server issue checks

Check the VPN logs for errors

If a VPN HA cluster ensure that they are correctly configured


AD authentication failing

The authentication process is stopping before it reaches the Swivel server.

Check the AD account is not locked

Reset the AD password


RADIUS ACCEPT or AGENT Success messages

This shows that the Swivel is allowing the login and is functioing as expected. If further failure occurs it may be that the RADIUS is not being received by the VPN or that the next step on the VPN is not configured such as their allowable resources.


Support escalation

End users: Contact their company

Company support staff: contact their reseller

Reseller: contact their distributor or Swivel


24 hour support information

Only for Priority One (P1) situations where large numbers of users cannot authenticate.

24x7 Support


Additional Useful Pages

Helpdesk Operations User Guide

Error Messages

Support Ticket How To Guide

Troubleshooting Files FAQ