Defender 5.11 - Administration Guide

Locate an affected user in the Defender Security Server log files by searching for the user’s ID. Each request received by the Defender Security Server is recorded in the log files. The example log messages in this section show records for a user whose user ID is testuser.
If the user ID cannot be found in the log, then verify that any deployed VPN servers are functioning correctly. The log message shown below would be seen for each request received by Defender regardless of whether or not it was successful.
<Time> Radius request: Access-Request for <User Id> from <Client IP> through NAS:<Access Node Name> Request ID: <N/A> Session ID: <Unique Session ID>
Using the Unique Session ID, cycle through the log messages associated with the user’s session. For example a successful session will look like this:

Tue 18 Aug 2009 11:57:10 Radius Request from 192.168.10.106:2951 Request ID: 31 Tue 18 Aug 2009 11:57:10 Radius request: Access-Request for testuser from 192.100.10.106:2951 through NAS:WebMail Request ID: 31 Session ID: 8A89040F Tue 18 Aug 2009 11:57:10 User testuser authenticated with Active Directory Password Session ID:8A89040F Tue 18 Aug 2009 11:57:10 Radius response: Authentication Acknowledged User-Name: testuser, Request ID: 31 Session ID: 8A89040F

Locate the relevant error message reason in the table below and take the recommended actions.

Table 37:
Reasons Defender Security Server log error messages
Message	Meaning	Recommended actions
`Reason: Invalid response` `Radius response: Authentication rejected` `User-Name: testuser`	Incorrect token response.	Verify the correct response is being entered. Check the response in the administration console. Check if PIN configured for user.
`Reason: Account locked out due to invalid attempts` `Radius response: Authentication Rejected` `User-Name: testuser`	User’s account is locked in Defender.	Use the Defender Administration Console to reset violation count for the user.
`Reason: Invalid password` `Radius response: Authentication Rejected` `User-Name: testuser`	Incorrect Active Directory password.	Verify the correct password is being entered.
`authentication abandoned user testuser`	Session timed out while waiting for user response.	Verify connectivity between the client and the Defender Security Server on the configured RADIUS port.
`Reason: User not valid for this route` Radius response: Authentication Rejected User-Name: testuser	This message can be caused by one of the following: User is not a member of the Access Node. User does not have a token. User is not a Defender user. There is no license available for the user. Client IP not permitted by the Access Node.	Verify the members of the Access Node. Verify the user has a Defender token assigned. Verify that suitable licenses exist. Verify the IP.
`Domain Search from CN=testuser,CN=Users,DC=child,DC=democor p,DC=local took 57 seconds` `LDAP` `failed (-1)finding user testuser`	Active Directory search has failed. This can happen if, for example, the child domain is unavailable.	Verify that the Defender service account has sufficient permissions or is a member of the Domain Administrators group.
`LDAP failed (50) writing token data for CN=PDWIN1348400003,OU=Tokens,OU=Defender,DC=democorp,DC=local` `Failed to write token data to LDAP`	The Defender service account does not have sufficient permissions in Active Directory to update the user’s token information.	Verify that the Defender service account has sufficient permissions or is a member of the Domain Administrators group.

Step 3: Gather further diagnostics

If Step 1: Gather required information and Step 2: Analyze Defender Security Server log have not resolved the issue, further diagnostics may be required, including collecting environmental details and tracing. Contact One Identity Support for advice on how to enable tracing. You will need to provide the version number of the Defender Administration Console and Defender Security Server you are using. Normally, you can find the Defender trace files in the following location: %ProgramData%\One Identity\Diagnostics.

Appendix C: Troubleshooting DIGIPASS token issues

Steps to troubleshoot DIGIPASS hardware token issues are:

Step 1: Determine type of failure

Determine if this is a token hardware failure.
If the answer is Yes to any of the next questions, refer to the steps described in One Identity Knowledge Article SOL45444 “Defender token failures”.
- Does the token only display 000000?
- Is the token display blank when the token button is pressed?
- Is the token display intermittent?
- Does the token display the same number every time? Note that the number is set to change every 36 seconds.
- Does the token display batt x, where x indicates the number of months the battery has left?
If the answer to the above questions is No, go to the next step.
Does the token display dp G0 7 before a number is displayed?
If so, this means the token is set to display it’s type, that is, DIGIPASS GO 7, before the number. This is not an error. Ask the user to log on with the number displayed. If this is not successful, go to the next step.

If a six digit number is displayed immediately, go to the next step.
If a token number is displayed as expected, but logon fails, further investigation within Defender and Active Directory may be required.
Gather and record the following information:
- Has the user ever successfully logged on with this token, if so, when was the last time the user successfully logged on with the token?
- What are the user ID and the token serial number?
- What is the error the user sees when they try to log on?

Please select your product:

To serve you better, please complete the Purpose of your Chat:

Recommended Solutions for Your Problem

Defender 5.11 - Administration Guide

Step 2: Analyze Defender Security Server log

Step 3: Gather further diagnostics

Appendix C: Troubleshooting DIGIPASS token issues

Step 1: Determine type of failure