CTX114999
NetScaler,NetScaler Gateway
NetScaler 10,NetScaler Gateway 10_1,Access Gateway 10
Authentication
2016-03-31
2014-04-11
This article describes how to troubleshoot authentication with Aaad.debug.

Objective

This article describes how to troubleshoot authentication through NetScaler or NetScaler Gateway?? with Aaad.debug.

Authentication processing in Access Gateway Enterprise Edition is handled by the Authentication, Authorization, and Auditing (AAA) daemon. The raw authentication events that AAA daemon processes can be monitored by viewing the output of the aaad.debug module and serves as a valuable troubleshooting tool. Aaad.debug is a pipe as opposed to a flat file and does not display the results or log them. Therefore, the cat command can be used to view the output of aaad.debug. The process of using nsaaad.debug to troubleshoot an authentication problem is typically referred to as "debugging aaad.” This process is useful for troubleshooting authentication issues such as:

  • General authentication errors

  • Username/password failures

  • Authentication policy configuration errors

  • Group extraction discrepancies

This process applies to Access Gateway Enterprise Edition and the NetScaler appliance.
??

Instructions

To troubleshoot authentication with Aaad.debug, complete the following procedure:

  1. Connect to the Access Gateway Enterprise Edition command line interface with a Secure Shell (SSH) client such as PuTTY.

  2. Run the following command to switch to the shell prompt:
    shell

  1. Run the following command to change to the /tmp directory:
    cd /tmp

  1. Run the following command to start the debugging process:
    cat aaad.debug

  1. Perform the authentication process that requires troubleshooting, such as a user logon attempt.

  1. Monitor the output of the cat aaad.debug command to interpret and troubleshoot the authentication process.

  1. Stop the debugging process by pressing Ctrl+Z.

  1. Run the following command to record the output of aaad.debug to a log file:

cat aaad.debug | tee /var/tmp/<debuglogname>
Where /var/tmp is the required directory path and <debuglogname.log> is the required log name.

The following section provide?? examples of how aaad.debug can be used to troubleshoot and interpret an authentication error.

Incorrect Password

In this example, the user entered an incorrect Lightweight Directory Access Protocol (LDAP) password.
 Fri Oct 19 17:53:20 2007 /usr/home/build/rs_80_48/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[40]: start_ldap_auth attempting to auth scottli @ 10.12.33.216 Fri Oct 19 17:53:20 2007 /usr/home/build/rs_80_48/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[291]: recieve_ldap_bind_event  receive ldap bind event Fri Oct 19 17:53:20 2007 /usr/home/build/rs_80_48/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[551]:  recieve_ldap_user_search_event built group string for scottli of:Domain Admins Fri Oct 19 17:53:22 2007 /usr/home/build/rs_80_48/usr.src/usr.bin/nsaaad/../../netscaler/aaad/naaad.c[1198]: send_reject sending reject to kernel for : scottli

Invalid Username

In this example, the user entered an incorrect username.
 /usr/home/build/rs_80_48/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[40]: start_ldap_auth attempting to auth scott @ 10.12.33.216  Fri Oct 19 17:53:30 2007 /usr/home/build/rs_80_48/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[291]: recieve_ldap_bind_event receive ldap bind event Fri Oct 19 17:53:30 2007 /usr/home/build/rs_80_48/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[534]: recieve_ldap_user_search_event ldap_first_entry returned null, user not found Fri Oct 19 17:53:30 2007 /usr/home/build/rs_80_48/usr.src/usr.bin/nsaaad/../../netscaler/aaad/naaad.c[1198]: send_reject sending reject to kernel for : scott

Invalid LDAP Bind Attempt

In this example, an invalid set of LDAP bind credentials were defined in the authentication policy.
 Fri Oct 19 18:17:16 2007 /usr/home/build/rs_80_48/usr.src/usr.bin/nsaaad/../../netscaler/aaad/naaad.c[359]: process_kernel_socket call to authenticate user :scottli, vsid :527 Fri Oct 19 18:17:16 2007 /usr/home/build/rs_80_48/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[40]: start_ldap_auth attempting to auth scottli @ 10.12.33.216 Fri Oct 19 18:17:18 2007 /usr/home/build/rs_80_48/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[291]: recieve_ldap_bind_event receive ldap bind event Fri Oct 19 18:17:18 2007 /usr/home/build/rs_80_48/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[326]: recieve_ldap_bind_event ldap_bind with binddn bindpw failed:Invalid credentials Fri Oct 19 18:17:18 2007 /usr/home/build/rs_80_48/usr.src/usr.bin/nsaaad/../../netscaler/aaad/naaad.c[1198]: send_reject sending reject to kernel for : scottli

Determining Group Extraction Results

In this example, the group extraction results can be determined.
 Fri Oct 19 18:22:14 2007 /usr/home/build/rs_80_48/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[40]: start_ldap_auth attempting to auth scottli @ 10.12.33.216  Fri Oct 19 18:22:14 2007  /usr/home/build/rs_80_48/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[291]:  recieve_ldap_bind_event receive ldap bind event  Fri Oct 19 18:22:14 2007 /usr/home/build/rs_80_48/usr.src/usr.bin/nsaaad/../../netscaler/aaad/ldap_drv.c[551]:  recieve_ldap_user_search_event built group string for scottli of:Domain Admins 
????
??

 

Join the conversation

Citrix Discussions

Open a case

Citrix Support

特别说明


本文来源为Citrix.com所有,翻译后版权归翻译者所有.如需转载请注明出处.

文档版本


.

广告招租


最新留言


.

广告招租


.