Chatta subito con l'assistenza
Chat con il supporto

Defender 5.11 - Administration Guide

Getting started Managing Defender objects in Active Directory Configuring security tokens Securing VPN access Securing Web sites Securing Windows-based computers Defender Management Portal (Web interface) Securing PAM-enabled services Delegating Defender roles, tasks, and functions Automating administrative tasks Administrative templates Integration with Active Roles Appendices
Appendix A: Enabling diagnostic logging Appendix B: Troubleshooting common authentication issues Appendix C: Troubleshooting DIGIPASS token issues Appendix D: Defender classes and attributes in Active Directory Appendix E: Defender Event Log messages Appendix F: Defender Client SDK Appendix G: Defender Web Service API

Step 2: Analyze Defender Security Server log

The default location for the Defender Security Server log files is %ProgramFiles%\One Identity\Defender\Security Server\Logs.

To analyse the Defender Security Server log files, take the following actions:

  1. Locate an affected user in the Defender Security Server log files by searching for the user’s ID. Each request received by the Defender Security Server is recorded in the log files. The example log messages in this section show records for a user whose user ID is testuser.
  2. If the user ID cannot be found in the log, then verify that any deployed VPN servers are functioning correctly. The log message shown below would be seen for each request received by Defender regardless of whether or not it was successful.

    <Time> Radius request: Access-Request for <User Id> from <Client IP> through NAS:<Access Node Name> Request ID: <N/A> Session ID: <Unique Session ID>

  3. Using the Unique Session ID, cycle through the log messages associated with the user’s session. For example a successful session will look like this:

Tue 18 Aug 2009 11:57:10 Radius Request from 192.168.10.106:2951 Request ID: 31
Tue 18 Aug 2009 11:57:10 Radius request: Access-Request for testuser from 192.100.10.106:2951 through NAS:WebMail Request ID: 31 Session ID: 8A89040F
Tue 18 Aug 2009 11:57:10 User testuser authenticated with Active Directory Password Session ID:8A89040F
Tue 18 Aug 2009 11:57:10 Radius response: Authentication Acknowledged User-Name: testuser, Request ID: 31 Session ID: 8A89040F

  1. Locate the relevant error message reason in the table below and take the recommended actions.

 

Table 37:

Reasons Defender Security Server log error messages

Message

Meaning

Recommended actions

Reason: Invalid response

Radius response: Authentication rejected

User-Name: testuser

Incorrect token response.
  • Verify the correct response is being entered.
  • Check the response in the administration console.
  • Check if PIN configured for user.

Reason: Account locked out due to invalid attempts

Radius response: Authentication Rejected

User-Name: testuser

User’s account is locked in Defender.

Use the Defender Administration Console to reset violation count for the user.

Reason: Invalid password

Radius response: Authentication Rejected

User-Name: testuser

Incorrect Active Directory password.

Verify the correct password is being entered.

authentication abandoned user testuser

Session timed out while waiting for user response.

Verify connectivity between the client and the Defender Security Server on the configured RADIUS port.

Reason: User not valid for this route

Radius response: Authentication Rejected

User-Name: testuser

This message can be caused by one of the following:

  • User is not a member of the Access Node.
  • User does not have a token.
  • User is not a Defender user.
  • There is no license available for the user.
  • Client IP not permitted by the Access Node.
  • Verify the members of the Access Node.
  • Verify the user has a Defender token assigned.
  • Verify that suitable licenses exist.
  • Verify the IP.

Domain Search from CN=testuser,CN=Users,DC=child,DC=democor p,DC=local took 57 seconds

LDAP failed (-1)finding user testuser

Active Directory search has failed. This can happen if, for example, the child domain is unavailable.

Verify that the Defender service account has sufficient permissions or is a member of the Domain Administrators group.

LDAP failed (50) writing token data for CN=PDWIN1348400003,OU=Tokens,OU=Defender,DC=democorp,DC=local

Failed to write token data to LDAP

The Defender service account does not have sufficient permissions in Active Directory to update the user’s token information.

Verify that the Defender service account has sufficient permissions or is a member of the Domain Administrators group.

Step 3: Gather further diagnostics

If Step 1: Gather required information and Step 2: Analyze Defender Security Server log have not resolved the issue, further diagnostics may be required, including collecting environmental details and tracing. Contact One Identity Support for advice on how to enable tracing. You will need to provide the version number of the Defender Administration Console and Defender Security Server you are using. Normally, you can find the Defender trace files in the following location: %ProgramData%\One Identity\Diagnostics.

Appendix C: Troubleshooting DIGIPASS token issues

Steps to troubleshoot DIGIPASS hardware token issues are:

Step 1: Determine type of failure

  1. Determine if this is a token hardware failure.

    If the answer is Yes to any of the next questions, refer to the steps described in One Identity Knowledge Article SOL45444 “Defender token failures”.

    • Does the token only display 000000?
    • Is the token display blank when the token button is pressed?
    • Is the token display intermittent?
    • Does the token display the same number every time? Note that the number is set to change every 36 seconds.
    • Does the token display batt x, where x indicates the number of months the battery has left?

    If the answer to the above questions is No, go to the next step.

  2. Does the token display dp G0 7 before a number is displayed?

    If so, this means the token is set to display it’s type, that is, DIGIPASS GO 7, before the number. This is not an error. Ask the user to log on with the number displayed. If this is not successful, go to the next step.

    If a six digit number is displayed immediately, go to the next step.

  3. If a token number is displayed as expected, but logon fails, further investigation within Defender and Active Directory may be required.

    Gather and record the following information:

    • Has the user ever successfully logged on with this token, if so, when was the last time the user successfully logged on with the token?
    • What are the user ID and the token serial number?
    • What is the error the user sees when they try to log on?
Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione