If authentication does not work as expected, or if a failure occurs, you can use reports, alerts, and audit logs to troubleshoot the issue. To get started, consider all the steps in the authentication process, based on the configured resource type and access policies. Start to troubleshoot the last step of the authentication process and work back.
Here are some examples of things to check:
- Does the user receive a push notification? (if push authentication was configured)
- Is there an audit log for the authentication attempt?
- For authentication flows that require the Gateway, what information appears in the Gateway logs?
Steps to troubleshoot specific AuthPoint issues depend on the type of problem, and which AuthPoint and external components are involved in the authentication process. Some AuthPoint components, such as the Gateway, have local log files that you can use for troubleshooting.
Tools to Troubleshoot AuthPoint
To troubleshoot most AuthPoint issues, look at the AuthPoint reports, audit logs, and alerts.
Audit logs are often a useful starting point to troubleshoot AuthPoint issues.
To get started, look at the information available in WatchGuard Cloud and the AuthPoint Gateway log files.
Reports show information about AuthPoint activity and events. Some useful reports for troubleshooting include:
- Denied Push Notifications — See if the user denied a push notification
- Resource Activity — See which resources users fail to authenticate to
- Authentication — See authentication failures for each user
- Sync Activity — See the LDAP user synchronization history
For more information about reports, see Monitor AuthPoint.
WatchGuard Cloud generates alerts for events based on notification rules. For example, you see an alert when a Gateway connects or disconnects, and when a user denies a push authentication request. You can add notification rules to generate other types of alerts.
For more information, see Manage WatchGuard Cloud Alerts.
Audit logs show events related to management actions, configuration changes, and AuthPoint events. For authentication events, the Audit Log Detail window shows details about the authentication attempt.
Match the error code from the audit log in WatchGuard Cloud to the error code you see in the log messages for events on the Gateway or in authentication error messages in the IdP Portal or Logon app for Windows or Mac. For more information, see Audit Logs.
Gateway Log Files
For authentication types that involve the AuthPoint Gateway, look at log files on the Gateway. Log messages include information about Gateway operations, and connections to RADIUS, LDAP, and ADFS. The Gateway runs as four services: Gateway, RADIUS, LDAP, and ADFS.
Each service creates a separate log file. Log messages include the user name and request ID, which can be useful to match a log message to an associated AuthPoint audit log event or error message.
You can find the Gateway log files in this directory: C:\ProgramData\WatchGuard\AuthPoint\logs.
Tips to Troubleshoot AuthPoint
Here are some tips to troubleshoot issues with specific types of authentication or AuthPoint components. In most cases, try to find:
- The error codes associated with the error
- The request ID associated with the error
You can then use that information to search the Audit log and log messages.
Troubleshoot the AuthPoint Gateway
The AuthPoint Gateway runs as four services:
- Gateway — Communicates with WatchGuard Cloud and configures the other three services
- RADIUS — Communicates with RADIUS clients
- LDAP — Communicates with LDAP
- ADFS — Communicates with ADFS
Use the Windows Services app to verify that all four services are running. In the Services app, the four running services look like this:
If a service is not running, use Windows Event Viewer to see when the service stopped and started.
The Gateway service must start and run correctly before the other services will start. If the Gateway service cannot connect to the cloud, or cannot start for some reason, the other services will hang while they wait for configuration files that never arrive. If you successfully restart the Gateway service, you must also restart the other services after the Gateway service is running correctly again.
Troubleshoot RADIUS Authentication
Look at these log messages and error messages:
- Audit logs in WatchGuard Cloud
- RADIUS logs on the AuthPoint Gateway
- RADIUS client error messages
- Firebox log messages — If the Firebox is configured as a RADIUS client, search Firebox log messages for user authentication events, and connection errors between the Firebox and the AuthPoint Gateway.
Other things to try:
- Make sure the RADIUS port (the default ports are 1812 or 1645) is open on the server on which the Gateway is installed. The port is not open by default. If the port is open, make sure it is not used by anything else on that server, which would cause a conflict with the Gateway.
- Do a pcap between the Gateway and the RADIUS client.
Troubleshoot LDAP Authentication
Look at these log messages:
- In the LDAP logs on the Gateway, look for:
- Connectivity test results
- Synchronization events
- User authentication requests
- Errors with connections to the domain controller
- In the WatchGuard Cloud audit logs, look for:
- LDAP external identity configuration changes
- LDAP user synchronization errors
Other things to try:
- If the Gateway is installed on a different server than the LDAP/AD server, do a pcap between the Gateway and the LDAP/AD server to verify that an LDAP response comes back.
Troubleshoot AuthPoint Agents for Windows and Mac
When an authentication error occurs, an error message might appear on the AuthPoint Agent for Windows or Mac login page. The error message includes the error code and request ID. Use the error code and request ID to find the error in the audit log.
Troubleshoot IdP Portal
To troubleshoot the IdP portal, ask the user for information about login errors. When authentication fails, an error message appears on the login page. The bottom of the page shows the error code and request ID.
Use the error code and request ID to find the error in the audit log.
Troubleshoot AuthPoint Mobile App
To troubleshoot the mobile app, ask the user for information about login errors. When an authentication error occurs, the mobile device shows an error message that includes the error code. Errors are useful for troubleshooting, because you can look for the error code in the audit log.
In the mobile app, the user can also see token details. Make sure that the token details show these values:
- Push Status — Registered
- Time Reference — The correct time
If needed, the user can select the Sync Token option to resynchronize the time and status of a token with the server. This is necessary for authentication so that when the user approves a push or type an OTP, AuthPoint recognizes that the authentication happens in the allowed amount of time. If the time difference between the token timestamp and the server timestamp is too big, the user may not be able to authenticate.
For more information, see Sync Your Token.
To troubleshoot ADFS, you can find useful information in:
- Event viewer on the computer where the ADFS Agent is installed
- Audit logs in WatchGuard Cloud
- ADFS log file on the AuthPoint Gateway
- ADFS agent log file
Troubleshoot RD Web
The AuthPoint Agent for RD Web runs as a service on the RD Web server. Make sure the WatchGuard AuthPoint RD Web Core service is running.
Tools you can use to troubleshoot RD Web include:
- IIS server log files — For information about user authentication to the RD Web portal
- Event Viewer for Remote Desktop Services — For information about user connections to RD Web hosted resources
- AuthPoint audit logs — For events for RD Web user authentication