Contents

Related Topics

Troubleshoot User Authentication

After you configure authentication for users and groups on your Firebox, you can follow the steps in this topic to troubleshoot authentication issues. These troubleshooting steps apply to any Firebox components that require user authentication, such as:

  • Mobile VPN connections
  • Policies that use group membership to define the source of traffic
  • Dimension reports that include user names
  • Single Sign-On (SSO). If SSO does not work for a user, it is important to verify whether manual authentication (a prompt for typed user credentials) works with Active Directory.

To test manual authentication, use a computer on the network protected by the Firebox .

To verify that your Firebox can connect to your Active Directory or LDAP authentication server for user authentication, you can use Fireware Web UI to test the connection between the Firebox and your authentication server. For more information, see Server Connection.

Before You Begin

Before you create a policy to test authentication, confirm that you can browse from the client computer to https://www.watchguard.com and https://www.watchguard.com. Make sure that the client computer uses the Firebox as its default gateway.

Create a Test Policy for Authentication

To test authentication and the ability to configure policies that affect authenticated users, you can configure a policy that denies traffic. Then, verify that the policy operates as expected for connections from authenticated users in a specific group.

For example, you can create an HTTPS policy that denies all connections from users in a specific group. Then, you can test HTTPS connections from an authenticated user in the group to verify that the policy applies to connections from that authenticated user.

Follow these steps to configure an HTTPS deny policy for connections from a user group.

To create the test policy from Fireware Web UI:Closed
  1. In Fireware Web UI, select Firewall > Firewall Policies.
    The Policies page appears.
  2. Click Add Policy.
    The Add Firewall Policy page appears.
  3. From the Packet Filter drop-down list, select HTTPS.
  4. Click Add Policy.
    The Add page appears. The Policy Name field populates with HTTPS.
  5. Change the Policy Name to a descriptive name, such as HTTPS – Test Deny.
  6. From the Connections are drop-down list, click Denied.
  7. In the From list, select Any-Trusted. Click Remove.
  8. Below the From list, click Add.
    The Add Member dialog box appears.
  9. From the Member type drop-down list, select Firewall Group.
    Or, if you want to test for a specific user instead of a group, select Firewall User.
    The list of configured groups or users appears.

If groups or users from your Active Directory server or other external authentication server do not appear, you must add the group name to the Firebox configuration. To do this, select Authentication > Users and Groups. This group name is case-sensitive and must exactly match the group name on your external authentication server.

  1. If you selected a group, select the group name.
  2. If you select a user, select the group that the user is a member of.
  3. Click OK.
    The group or user name is added to the From list.

Screen shot of the configured policy

  1. Click Save to add the policy to your Firebox configuration.
    The new policy appears in the Policies page. The WatchGuard Authentication policy is also added automatically if it did not previously exist.
  2. Make sure that no other policy that allows HTTPS connections from this group to Any-External appears higher in the Policies list.
To create the HTTPS test policy from Policy Manager:Closed
  1. Open the Firebox configuration in Policy Manager.
  2. Select Edit > Add Policy.
  3. From the list of packet filter policies, select HTTPS.
  4. Click Add.
  5. In the Name text box, type a descriptive name such as HTTPS-Test-Deny.
  6. From the HTTPS Connections are drop-down list, click Denied
  7. In the From list, select Any-Trusted. Click Remove.
  8. Below the From list, click Add.
    The Add Address dialog box appears.
  9. Click Add User.
    The Add Member dialog box appears.
  10. From the Type drop-down lists, select Firewall and Group.
    Or, if you want to test for a specific user rather than a group, select Firewall and User.
    The list of configured groups or users appears.

If groups or users from your Active Directory server or other external authentication server to not appear, you must add the group name to the Firebox configuration. To do this, select Setup > Authentication > Users and Groups. This group name is case-sensitive and must exactly match the group name on your external authentication server.

  1. Select the group that the user is a member of.
  2. Click OK.
    The group name is added to the From list.

Screen shot of the configured policy

  1. Click Save to add the policy to your Firebox configuration.
    The new policy appears in the Policies page. The WatchGuard Authentication policy is also added automatically if it did not previously exist.
  2. Make sure that no other policy that allows HTTPS connections from this group to Any-External appears higher in the Policies list.
  3. Save the configuration to the Firebox.

Test User Authentication

Authenticate to the Firebox as a user who is a member of the group you specified in the HTTPS-Test-Deny policy.

  1. Browse from the client computer to the Firebox authentication portal web page at https://[Firebox interface IP address ]:4100
  2. If more than one type of authentication is enabled, select the authentication server or domain from the Domain drop-down list.
  3. Type the Username and Password for the user in the group.

If authentication failed, investigate whether the failure was caused by one of these issues:

Authentication is case-sensitive and the user name does not match exactly.Closed

Review the user name for the user in the Firebox local users and groups configuration and on the external authentication server. Check for the exact use of upper and lower case and for leading or trailing spaces.

The client passphrase is incorrect.Closed

In the authentication server, change the user passphrase to match the passphrase you specified in your test. If you use Firebox-DB for authentication, change this on the Firebox. If you use an external authentication server, change the user's passphrase on the external authentication server.

Authentication settings on the Firebox are not configured correctly.Closed

Review your authentication configuration carefully to match the IP address and other required settings for your authentication server.

  • If you use Fireware Web UI to configure users for local Firebox authentication, review the users in Authentication > Servers, and not Authentication > Users and Groups.
  • If you use Policy Manager to configure users for local Firebox authentication, review the users in Setup > Authentication Servers, and not Setup > Authentication > Users and Groups.
  • If you use Active Directory, make sure you have correctly specified the Active Directory search base. For more information, see Find Your Active Directory Search Base.

After authentication is successful, you are ready to test the connections and policies for an authenticated user.

Log the User Off After Configuration Changes

If you make a change to a user account or group membership as part of troubleshooting, the changes do not affect users who are already authenticated. To test the change, you must log the user out of the Firebox before you log in again to test any configuration change. This makes sure that the Firebox correctly associates the group membership with the user.

To log a user off in Fireware Web UI:Closed
  1. Select System Status > Authentication List.
    The Authentication List page appears.
  2. Select the check box next to the user name in the list.
  3. Click Log Off Users.
To log a user off in Firebox System Manager:Closed
  1. Select the Authentication List tab.
  2. Right click the user name in the list and select Log Off User.

Test Connections from an Authenticated User

After you create the HTTPS-Test-Deny policy and successfully authenticate to the Firebox as a user who is a member of the group specified in the policy, you can test if the policy successfully denies traffic for the user. This confirms that the group membership operates as expected.

From a web browser on the client computer:

  • To test HTTP connections, try to browse to https://www.watchguard.com.
    This connection should be allowed, because the test HTTPS-Test-Deny policy does not apply to HTTP traffic.
  • To test HTTPS connections, try to browse to https://www.watchguard.com.
    This should be denied by the HTTPS-Test-Deny policy if the client computer is authenticated as a user that is a member of the group specified in the policy.

If the test policy does not deny the HTTPS request from the authenticated user, investigate to see whether the behavior was caused by one of these issues:

The policy is not correctly configured to deny access over HTTPS.Closed

To test whether the policy is correctly configured to deny HTTPS traffic, edit the HTTPS-Test-Deny policy and add the user name to the From list. Then, test the HTTPS connection again.

If the policy denies HTTPS traffic from this user after you add the user name to the policy, that means the policy is configured correctly and the problem is related to group membership. Remove the user name from the policy after this test so that you can use the policy to troubleshoot group membership.

If the policy does not deny HTTPS connections from this user after you add the user name to the policy, either the policy is not correctly configured to deny this traffic, or another policy with higher precedence allows HTTPS connections from this user. Make sure that the policy is set to deny connections, and that no other policies with higher precedence apply to HTTPS connections from this user or to a group this user is a member of.

The configured search base does not include the group name (LDAP or Active Directory authentication).Closed

If the search base specified in the LDAP or Active Directory authentication settings on the Firebox is too specific, it might not include the group name. You can check for the group on your authentication server to see if this is the case.

As a best practice, we recommend that you change the search base in the LDAP or Active Directory authentication settings on the Firebox to simplify the search base to the broadest possible base that works with your authentication server. For example, if your search base is ou=users,dc=example,dc=com, simplify it to dc=example,dc=com.

For more information about Active Directory authentication settings, see Configure Active Directory Authentication

For more information about LDAP authentication settings, see Configure LDAP Authentication.

Authentication is case-sensitive, and the group name on the Firebox does not match exactly.Closed

The group name configured on the Firebox, and used in policies, must exactly match the group name on the external authentication server. Look at the group name on the Firebox and compare it to the group name on the external authentication server. Check the spelling and verify the exact use of upper and lower case and leading or trailing spaces.

The user is not configured as a member of the group specified in the policy.Closed

If the user is not a member of the group, the policy does not apply to connections from that user. If you use an external authentication server, make sure the user account on the external authentication server is a member of that group. If you use Firebox authentication, make sure the user is a member of the group on the Firebox. The user account must be a member of the group with a group name that exactly matches the group name specified in the policy. Check the spelling and verify the exact use of upper and lower case and leading or trailing spaces.

For RADIUS authentication servers, such as RADIUS and SecurID, group membership is identified by the Filter-ID attribute.

For more information about how to use groups in policies, see Use Users and Groups in Policies.

The client IP address authenticated with a different user name than expected.Closed

To verify that the client computer is logged in with the user name you expect, you can search the log messages for requests from the client IP address. At the end of each log message for traffic from an authenticated user, you can see the user name associated with the IP addresses, for example src_user="TestUser@Firebox-DB".

If you find that the IP address is associated with a different user than you expect, investigate whether something else, such as the SSO Agent, SSO Client, or a mobile VPN client is configured to perform user authentication for that client computer.

For more information about Single Sign-On, see About Active Directory Single Sign-On (SSO).

For more information about routing Internet traffic through mobile VPN clients, see Internet Access Options for Mobile VPN Users.

See Also

Authentication Server Types

Configure Active Directory Authentication

Give Us Feedback     Get Support     All Product Documentation     Technical Search

© 2018 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, WatchGuard Dimension, Firebox, Core, Fireware, and LiveSecurity are registered trademarks or trademarks of WatchGuard Technologies in the United States and/or other countries.