Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Troubleshooting authentication rules
Help | Content Gateway | v8.5.x
In rule-based authentication, problems often present as:
*
Users are not challenged for credentials when a challenge is expected
*
Users are challenged for credentials when no challenge is expected
*
These problems occur in one of the following phases of user authentication processing:
*
*
*
Rule-based authentication logic
Rule-based authentication applies the following logic:
1.
The rules in filter.config are checked and applied. This action occurs first in every type of Content Gateway user authentication. If a filtering rule is matched, the rule is applied and user authentication processing stops. See Content Gateway filtering rules.
2.
a.
b.
c.
d.
The first rule matched is applied. If no rule matches, no authentication is attempted.
3.
4.
5.
To see how the logic is applied in a running environment, you can temporarily enable user authentication debug output. Among other details, the debug output shows the parsing of rules and matching. See Enabling and disabling user authentication debug output.
Troubleshooting
When rule-based authentication doesn't produce the expected results, it is recommended that you troubleshoot the problem in the following order:
1.
Confirm that there is no unexpected entries. In the Content Gateway manager, go to Configure > Networking > ARM > General and examine the Redirection Rules.
2.
Confirm that there is no unexpected matching of a filter.config rule. Among other purposes, filter.config rules can be used to bypass user authentication. See Content Gateway filtering rules.
3.
Using the IP address of a user who is or is not being challenged as expected, walk through each rule, top to bottom, examining the settings to find the first match. Be meticulous in your analysis. A common problem is that the IP address falls within a too-broad IP address range.
If the rule uses an alias, confirm that the alias is present in the User Service of the primary domain controller.
For explicit clients configured to send traffic to a specific port, check both the rule and the configuration of the client's browser.
4.
If you are getting the match you expect, verify that the domain is reachable and that the user is a member of the domain. If yes, troubleshoot the problem at the authentication protocol level. For IWA, see Troubleshooting Integrated Windows Authentication.
5.
If Content Gateway is a member of a proxy chain, verify that X-Forwarded-For headers are sent by the downstream proxy and read by Content Gateway.
*
*
In the Content Gateway manager, go to Configure > My Proxy > Basic, scroll to the bottom of the page and verify that Read authentication from child proxy is enabled. If it's not, select On, click Apply, and then restart Content Gateway.
Enabling and disabling user authentication debug output
 
Warning 
Debug log information is written to: /opt/WCG/logs/content_gateway.out
To enable user authentication debug information, edit: /opt/WCG/config/records.config
(root)# vi /opt/WCG/config/records.config
Find and modify the following parameters and assign values as shown:
CONFIG proxy.config.diags.debug.enabled INT 1
CONFIG proxy.config.diags.debug.tags STRING
http_xauth.* | auth_* | winauth.* | ldap.* | ntlm.*
Save and close the file. Force Content Gateway to reread the file with the command:
(root)# /opt/WCG/bin/content_line -x
Follow the flow of debug information with the tail -f command:
(root)# tail -f /opt/WCG/logs/content_gateway.out
Use Ctrl+C to terminate the command.
When you have collected the debug output you want (after one or several user authentication processes is complete), disable debug output by editing records.config and modifying the parameter value as shown.
(root)# CONFIG proxy.config.diags.debug.enabled INT 0
Save and close the file. Force Content Gateway to reread the file with the command:
(root)# /opt/WCG/bin/content_line -x

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Copyright 2020 Forcepoint. All rights reserved.