Troubleshoot User Authentication

After you configure authentication for users and groups on your Firebox, you can follow the steps in this topic to troubleshoot authentication issues. These troubleshooting steps apply to any Firebox components that require user authentication, such as:

  • Mobile VPN connections
  • Policies that use group membership to define the source of traffic
  • Dimension reports that include user names
  • Single Sign-On (SSO). If SSO does not work for a user, it is important to verify whether manual authentication (a prompt for typed user credentials) works with Active Directory.

To test manual authentication, use a computer on the network protected by the Firebox .

To verify that your Firebox can connect to your Active Directory or LDAP authentication server for user authentication, you can use Fireware Web UI to test the connection between the Firebox and your authentication server. For more information, go to Server Connection.

Before You Begin

Before you create a policy to test authentication, confirm that you can browse from the client computer to https://www.watchguard.com and http://www.watchguard.com. Make sure that the client computer uses the Firebox as its default gateway.

Create a Test Policy for Authentication

To test authentication and the ability to configure policies that affect authenticated users, you can configure a policy that denies traffic. Then, verify that the policy operates as expected for connections from authenticated users in a specific group.

For example, you can create an HTTPS policy that denies all connections from users in a specific group. Then, you can test HTTPS connections from an authenticated user in the group to verify that the policy applies to connections from that authenticated user.

Follow these steps to configure an HTTPS deny policy for connections from a user group.

Test User Authentication

Authenticate to the Firebox as a user who is a member of the group you specified in the HTTPS-Test-Deny policy.

  1. Browse from the client computer to the Firebox authentication portal web page at https://[Firebox interface IP address ]:4100
  2. If more than one type of authentication is enabled, select the authentication server or domain from the Domain drop-down list.
  3. Type the Username and Password for the user in the group.

If authentication failed, investigate whether the failure was caused by one of these issues:

After authentication is successful, you are ready to test the connections and policies for an authenticated user.

Log the User Off After Configuration Changes

If you make a change to a user account or group membership as part of troubleshooting, the changes do not affect users who are already authenticated. To test the change, you must log the user out of the Firebox before you log in again to test any configuration change. This makes sure that the Firebox correctly associates the group membership with the user.

Test Connections from an Authenticated User

After you create the HTTPS-Test-Deny policy and successfully authenticate to the Firebox as a user who is a member of the group specified in the policy, you can test if the policy successfully denies traffic for the user. This confirms that the group membership operates as expected.

From a web browser on the client computer:

  • To test HTTP connections, try to browse to https://www.watchguard.com.
    This connection should be allowed, because the test HTTPS-Test-Deny policy does not apply to HTTP traffic.
  • To test HTTPS connections, try to browse to https://www.watchguard.com.
    This should be denied by the HTTPS-Test-Deny policy if the client computer is authenticated as a user that is a member of the group specified in the policy.

If the test policy does not deny the HTTPS request from the authenticated user, investigate to see whether the behavior was caused by one of these issues:

Related Topics

Authentication Server Types

Configure Active Directory Authentication