Resolving issues

Check the points below to resolve malfunctions.

SN SSO Agent cannot connect to the firewall

  • Check the SSL encryption key (SSLKey) , known as the pre-shared key.
    It is entered in the SN SSO Agent configuration (config.ini file) and in the configuration of the SSO Agent authentication method.
  • Ensure that port 1301, or the port that you have customized, is not blocked by a firewall or located on the machine that hosts SN SSO Agent.
    For this machine, check that messages can be sent correctly through this port with the command:

    tcpdump port 1301

  • Check logs from the firewall administration interface in Monitoring > Audit logs > System events.

No users are authenticating on the firewall

  • Check logs from the firewall administration interface in Monitoring > Audit logs > Users.
  • Ensure that there are no rules in the authentication policy blocking users who attempt to authenticate.
    Try to add in the first position (right at the top) in your authentication policy a rule that uses the following elements:
    • For the User field: “All”,
    • For the Source field: "Any",
    • For the Authentication methods field: the SSO Agent method concerned.
  • Using the following command, check whether the messages that the SN SSO Agent syslog server sends to the firewall go through the port defined in the configuration as expected. 

    tcpdump port 3514

  • Ensure that the correct information regarding the syslog server is entered in the SSO Agent authentication method configured on the firewall. 
  • Ensure that the regular expressions configured in your firewall and used by the SN SSO Agent syslog server make it possible to retrieve the authentication events that are required for the service to run. If necessary, check your regular expressions (RegEx) on websites that provide such a service.

The SN SSO Agent syslog server is not retrieving events from the LDAP directory

  • Ensure that the configuration of your LDAP directory is accurate. For more information, see the section Configuring the LDAP directory.
  • Check whether the LDAP directory correctly logs authentication events. In our example, we used the following command to check it on a Samba 4 server. The access path may have been modified in the configuration of the server (file smb.conf).

    tail -f /var/log/messages.log

  • Check the configuration of the syslog client installed on the same machine as your LDAP directory (file 00-samba.conf). Try to modify its configuration so that it sends all logs regardless of their severity and associated application system. Follow the format below by keeping "*.*" :

    *.* @ip:port