Technical Library | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Content Gateway Security > Content Gateway user authentication > Rule-Based Authentication > Troubleshooting authentication rules
Troubleshooting authentication rules
Help | Content Gateway | Version 8.3.x
In rule-based authentication, problems often present as:
*
Users are not challenged for credentials when a challenge is expected
*
Users are challenged for credentials when no challenge is expected
*
User authentication is performed against the wrong domain
These problems occur in one of the following phases of user authentication processing:
*
General user authentication logic (outlined below)
*
Rule definition and matching
*
User authentication protocol processing (IWA, NTLM, LDAP; for IWA troubleshooting, see Troubleshooting Integrated Windows Authentication.)
Rule-based authentication logic
Rule-based authentication applies the following logic:
1.
The rules in filter.config are checked and applied. This action occurs first in every type of Content Gateway user authentication. If a filtering rule is matched, the rule is applied and user authentication processing stops. See Filtering Rules.
2.
If no filtering rule matches, user authentication rule matching is performed.
a.
The requestor's IP address is checked, top-down, against the rule set.
b.
If the IP address matches a rule, the source port is checked.
c.
If the IP address matches a rule, the User-Agent value is checked.
d.
The first rule matched is applied. If no rule matches, no authentication is attempted.
3.
If a rule is matched, the specified authentication protocol is applied against the specified domain. All rule configuration details are applied.
4.
If the user is authenticated, the request proceeds or is denied per the assigned policy.
5.
The transaction is logged.
To see how the logic is applied in a running environment, you can temporarily enable user authentication debug output. Among other details, the debug output shows the parsing of rules and matching. See Enabling and disabling user authentication debug output.
Troubleshooting
When rule-based authentication doesn't produce the expected results, it is recommended that you troubleshoot the problem in the following order:
1.
Check Redirection Rules
Confirm that there is no unexpected entries. In the Content Gateway manager, go to Configure > Networking > ARM > General and examine the Redirection Rules.
2.
Check the rules in filter.config
Confirm that there is no unexpected matching of a filter.config rule. Among other purposes, filter.config rules can be used to bypass user authentication. See Filtering Rules.
3.
Check rule matching
Using the IP address of a user who is or is not being challenged as expected, walk through each rule, top to bottom, examining the settings to find the first match. Be meticulous in your analysis. A common problem is that the IP address falls within a too-broad IP address range.
If the rule uses an alias, confirm that the alias is present in the User Service of the primary domain controller.
For explicit clients configured to send traffic to a specific port, check both the rule and the configuration of the client's browser.
4.
Check the domain
If you are getting the match you expect, verify that the domain is reachable and that the user is a member of the domain. If yes, troubleshoot the problem at the authentication protocol level. For IWA, see Troubleshooting Integrated Windows Authentication.
5.
When Content Gateway is in a proxy chain
If Content Gateway is a member of a proxy chain, verify that X-Forwarded-For headers are sent by the downstream proxy and read by Content Gateway.
*
Use a packet sniffer to inspect inbound packets from the downstream proxy. Look for properly formed X-Forwarded-For headers.
*
In the Content Gateway manager, go to Configure > My Proxy > Basic, scroll to the bottom of the page and verify that Read authentication from child proxy is enabled. If it's not, select On, click Apply, and then restart Content Gateway.
Enabling and disabling user authentication debug output
 
* 
Warning 
Debug output should not be left enabled. Debug output slows proxy performance and can fill the file system with log output.
Debug log information is written to: /opt/WCG/logs/content_gateway.out
To enable user authentication debug information, edit: /opt/WCG/config/records.config
(root)# vi /opt/WCG/config/records.config
Find and modify the following parameters and assign values as shown:
CONFIG proxy.config.diags.debug.enabled INT 1
CONFIG proxy.config.diags.debug.tags STRING
http_xauth.* | auth_* | winauth.* | ldap.* | ntlm.*
Save and close the file. Force Content Gateway to reread the file with the command:
(root)# /opt/WCG/bin/content_line -x
Follow the flow of debug information with the tail -f command:
(root)# tail -f /opt/WCG/logs/content_gateway.out
Use Ctrl+C to terminate the command.
When you have collected the debug output you want (after one or several user authentication processes is complete), disable debug output by editing records.config and modifying the parameter value as shown.
(root)# CONFIG proxy.config.diags.debug.enabled INT 0
Save and close the file. Force Content Gateway to reread the file with the command:
(root)# /opt/WCG/bin/content_line -x
 

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Content Gateway Security > Content Gateway user authentication > Rule-Based Authentication > Troubleshooting authentication rules
Copyright 2016 Forcepoint LLC. All rights reserved.