Skip to main content

Debugging & Troubleshooting Authentication Problems

When you encounter authentication issues, the tips here can help you identify and resolve them.

You're welcome to send us a support ticket as well.

Use the authcli tool

To validate your authentication configuration for Access Server, we recommend using the authcli command-line utility.

What is authcli?

The authcli tool runs tests and provides useful debugging information. You can print authentication results to your screen, see user-specific properties applied when authentication succeeds, and verify if expected properties get picked up.

How to use authcli?

To run authcli, ensure you are in the /usr/local/openvpn_as/scripts/ directory and run the commands as a root user.

Important

Mismatched usernames are one of the most common problems with authentication, where the username in the User Permissions table for Access Server doesn’t precisely match the username in the external authentication system.

Use the below commands for debugging or testing with authcli.

Verify authentication for a user:

./authcli --user <USER_NAME> --pass <PASSWORD>
Example 1. Sample output of a successful local authentication attempt
API METHOD: authenticate
AUTH_RETURN
 status : SUCCEED
 session_id : AaJkamAuZgjXwsjk+N96eA==
 reason : local auth succeeded
 expire : 1505404548
 user : test
 proplist : {'pvt_password_digest': '9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08', 'type': 'user_connect', 'prop_autogenerate': 'true'}


Verify authentication for a user with multi-factor authentication (MFA) enabled:

./authcli --user <USER_NAME> --pass <PASSWORD> --sr=<MFA_CODE_HERE>

Case-sensitive matters for usernames

Most authentication systems are case-sensitive. Ensure the username case matches between Access Server and the external authentication system. After a successful match, Access Server can apply user-specific properties — auto-login privileges, static IP address, and so on.

For PAM authentication, the username is case-sensitive. Authentication fails if you enter "Gary" to sign in but the actual username is "gary".

Some LDAP servers, such as Active Directory, may not be case-sensitive for usernames. However, if you sign in to Access Server with "Gary" and the LDAP server returns "gary" as the match, Access Server looks up user-specific properties for "gary". Ensure you match cases for your usernames.

LDAP authentication debugging tips

The most common problems for LDAP authentication relate to the base DN search query. Ensure you enter that carefully, especially where your search query is very specific. When you encounter an LDAP issue related to your search query, you receive an error message such as “user not found that meets specified criteria.” The user isn’t found in that location in the LDAP directory.

Try these steps to address this issue:

  1. Broaden your search query to include the entire directory: DC=example,DC=com (adjust to your DC values).

  2. If that works, refine your search query how you like: search in a specific location, or search by a specific group.

When debugging problems with authenticating against an LDAP server, generally, the LDAP debug options are not necessary. Still, you need to use some trial and error and the authcli tool.

For more information, refer to Access Server command-line interface tools.

In this section: