Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Security > Content Gateway user authentication > Rule-Based Authentication > Troubleshooting authentication rules
Troubleshooting authentication rules
Help | Content Gateway | Version 8.1.x
In rule-based authentication, problems often present as:
*
Users are not challenged for credentials when a challenge is expected
*
Users are challenged for credentials when no challenge is expected
*
These problems occur in one of the following phases of user authentication processing:
*
*
*
Rule-based authentication logic
Rule-based authentication applies the following logic:
1.
The rules in filter.config are checked and applied. This action occurs first in every type of Content Gateway user authentication. If a filtering rule is matched, the rule is applied and user authentication processing stops. See Filtering Rules.
2.
a.
b.
c.
d.
The first rule matched is applied. If no rule matches, no authentication is attempted.
3.
4.
5.
To see how the logic is applied in a running environment, you can temporarily enable user authentication debug output. Among other details, the debug output shows the parsing of rules and matching. See Enabling and disabling user authentication debug output.
Troubleshooting
When rule-based authentication doesn't produce the expected results, it is recommended that you troubleshoot the problem in the following order:
1.
Confirm that there is no unexpected IP address NAT. Network address translation has the result that the original source IP address is changed to another address before user authentication is performed. In the Content Gateway manager, go to Configure > Networking > ARM > General and examine the rules in ipnat.config. Addresses can also be NATed by other devices in the network, such as downstream proxies or firewalls.
2.
Confirm that there is no unexpected matching of a filter.config rule. Among other purposes, filter.config rules can be used to bypass user authentication. See Filtering Rules.
3.
Using the IP address of a user who is or is not being challenged as expected, walk through each rule, top to bottom, examining the settings to find the first match. Be meticulous in your analysis. A common problem is that the IP address falls within a too-broad IP address range.
If the rule uses an alias, confirm that the alias is present in the User Service of the primary domain controller.
For explicit clients configured to send traffic to a specific port, check both the rule and the configuration of the client's browser.
4.
If you are getting the match you expect, verify that the domain is reachable and that the user is a member of the domain. If yes, troubleshoot the problem at the authentication protocol level. For IWA, see Troubleshooting Integrated Windows Authentication.
5.
If Content Gateway is a member of a proxy chain, verify that X-Forwarded-For headers are sent by the downstream proxy and read by Content Gateway.
*
*
In the Content Gateway manager, go to Configure > My Proxy > Basic, scroll to the bottom of the page and verify that Read authentication from child proxy is enabled. If it's not, select On, click Apply, and then restart Content Gateway.
Enabling and disabling user authentication debug output
 
Warning 
Debug log information is written to: /opt/WCG/logs/content_gateway.out
To enable user authentication debug information, edit: /opt/WCG/config/records.config
(root)# vi /opt/WCG/config/records.config
Find and modify the following parameters and assign values as shown:
CONFIG proxy.config.diags.debug.enabled INT 1
CONFIG proxy.config.diags.debug.tags STRING
http_xauth.* | auth_* | winauth.* | ldap.* | ntlm.*
Save and close the file. Force Content Gateway to reread the file with the command:
(root)# /opt/WCG/bin/content_line -x
Follow the flow of debug information with the tail -f command:
(root)# tail -f /opt/WCG/logs/content_gateway.out
Use Ctrl+C to terminate the command.
When you have collected the debug output you want (after one or several user authentication processes is complete), disable debug output by editing records.config and modifying the parameter value as shown.
(root)# CONFIG proxy.config.diags.debug.enabled INT 0
Save and close the file. Force Content Gateway to reread the file with the command:
(root)# /opt/WCG/bin/content_line -x
 

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Security > Content Gateway user authentication > Rule-Based Authentication > Troubleshooting authentication rules
Copyright 2016 Forcepoint LLC. All rights reserved.