Troubleshoot AuthPoint

Applies To: AuthPoint Multi-Factor Authentication, AuthPoint Total Identity Security

If authentication does not work as expected, or if a failure occurs, you can use reports, alerts, and audit logs to troubleshoot the issue. To get started, consider all the steps in the authentication process, based on the configured resource type and access policies. Start to troubleshoot the last step of the authentication process and work back.

Here are some examples of things to check:

  • Does the user receive a push notification? (if push authentication was configured)
  • Is there an audit log for the authentication attempt?
  • For authentication flows that require the Gateway, what information appears in the Gateway logs?
  • If your policy has a policy object, do you have a second policy for the same groups and resources without the policy objects?

Steps to troubleshoot specific AuthPoint issues depend on the type of problem, and which AuthPoint and external components are involved in the authentication process. Some AuthPoint components, such as the Gateway, have local log files that you can use for troubleshooting.

For more troubleshooting information, see AuthPoint Tips and Best Practices.

Tools to Troubleshoot AuthPoint

To troubleshoot most AuthPoint issues, look at the AuthPoint reports, audit logs, and alerts.

Screen shot that shows the Administration menu in WatchGuard Cloud.

Audit logs are often a useful starting point to troubleshoot AuthPoint issues.

To get started, look at the information available in WatchGuard Cloud and the AuthPoint Gateway log files.

AuthPoint Reports

Reports show information about AuthPoint activity and events. Some useful reports for troubleshooting include:

  • Denied Push Notifications — See if the user denied a push notification
  • Resource Activity — See which resources users fail to authenticate to
  • Authentication — See authentication failures for each user
  • Sync Activity — See the LDAP user synchronization history

For more information about reports, see Monitor AuthPoint.

Alerts

WatchGuard Cloud generates alerts for events based on notification rules. For example, you see an alert when a Gateway connects or disconnects, and when a user denies a push authentication request. You can add notification rules to generate other types of alerts.

For more information, see Manage WatchGuard Cloud Alerts.

Audit Logs

Audit logs show events related to management actions, configuration changes, and AuthPoint events. For authentication events, the Audit Log Detail window shows details about the authentication attempt.

Screen shot that shows the the Audit Log Detail window.

Match the error code from the audit log in WatchGuard Cloud to the error code you see in the log messages for events on the Gateway or in authentication error messages in the IdP Portal or Logon app for Windows or Mac. For more information, see See Audit Logs.

Gateway Log Files

For authentication types that involve the AuthPoint Gateway, look at log files on the Gateway. Log messages include information about Gateway operations, and connections to RADIUS, LDAP, and ADFS. The Gateway runs as four services: Gateway, RADIUS, LDAP, and ADFS.

Each service creates a separate log file. Log messages include the user name and request ID, which can be useful to match a log message to an associated AuthPoint audit log event or error message.

You can find the Gateway log files in this directory: C:\ProgramData\WatchGuard\AuthPoint\logs.

By default, the ProgramData folder is hidden in Windows. To open the folder, press Windows key + R, type %ProgramData%, and click OK.

Tips to Troubleshoot AuthPoint

Here are some tips to troubleshoot issues with specific types of authentication or AuthPoint components. In most cases, try to find:

  • The error codes associated with the error
  • The request ID associated with the error

You can then use that information to search the Audit log and log messages.

Troubleshoot the AuthPoint Gateway

The AuthPoint Gateway runs as four services:

  • Gateway — Communicates with WatchGuard Cloud and configures the other three services
  • RADIUS — Communicates with RADIUS clients
  • LDAP — Communicates with LDAP
  • ADFS — Communicates with ADFS

Use the Windows Services app to verify that all four services are running. In the Services app, the four running services look like this:

Screen shot of the services in the Windows Services app.

If a service is not running, use Windows Event Viewer to see when the service stopped and started.

The Gateway service must start and run correctly before the other services will start. If the Gateway service cannot connect to the cloud, or cannot start for some reason, the other services will hang while they wait for configuration files that never arrive. If you successfully restart the Gateway service, you must also restart the other services after the Gateway service is running correctly again.

In some cases, antivirus software can cause the installation of the Gateway to fail.

Troubleshoot RADIUS Authentication

Look at these log messages and error messages:

  • Audit logs in WatchGuard Cloud
  • RADIUS logs on the AuthPoint Gateway
  • RADIUS client error messages
  • Firebox log messages — If the Firebox is configured as a RADIUS client, search Firebox log messages for user authentication events, and connection errors between the Firebox and the AuthPoint Gateway.

Other things to try:

  • Make sure the RADIUS port (the default ports are 1812 or 1645) is open on the server on which the Gateway is installed. The port is not open by default. If the port is open, make sure it is not used by anything else on that server, which would cause a conflict with the Gateway.
  • Do a pcap between the Gateway and the RADIUS client.

If you configure Mobile VPN on a Firebox to use more than one authentication server, users who do not use the default authentication server must specify the authentication server or domain before the user name. For example, ad1_example.com\j_smith.

Troubleshoot LDAP Authentication

Look at these log messages:

  • In the LDAP logs on the Gateway, look for:
    • Connectivity test results
    • Synchronization events
    • User authentication requests
    • Errors with connections to the domain controller
  • In the WatchGuard Cloud audit logs, look for:
    • LDAP external identity configuration changes
    • LDAP user synchronization errors

Other things to try:

  • If the Gateway is installed on a different server than the LDAP/AD server, do a pcap between the Gateway and the LDAP/AD server to verify that an LDAP response comes back.

Do not add the same LDAP group to multiple group syncs or create multiple group syncs that include the same LDAP user. A user synced from an LDAP database cannot belong to more than one local AuthPoint group. If an LDAP user belongs to multiple group syncs, each time AuthPoint syncs with your LDAP database, the local AuthPoint group that the user belongs to might change.

To add LDAP users to multiple groups in AuthPoint, we recommend that you enable the Create new synchronized groups toggle in your group sync and use your Active Directory group structure to manage your users.

Troubleshoot External External Identities

If the connection test to your external identity fails and NPS is running on the Gateway server, change the RADIUS port that the AuthPoint Gateway uses.

If the connection test to your external identity is successful but AuthPoint does not sync users, we recommend that you verify the credentials and permissions of the system account user. If your Active Directory instance does not use LDAPS, make sure you disable the LDAPS toggle for the external identity.

Troubleshoot AuthPoint Agents for Windows and Mac

When an authentication error occurs, an error message might appear on the AuthPoint Agent for Windows or Mac login page. The error message includes the error code and request ID. Use the error code and request ID to find the error in the audit log.

Troubleshoot IdP Portal

To troubleshoot the IdP portal, ask the user for information about login errors. When authentication fails, an error message appears on the login page. The bottom of the page shows the error code and request ID.

Use the error code and request ID to find the error in the audit log.

Troubleshoot AuthPoint Mobile App

To troubleshoot the mobile app, ask the user for information about login errors. When an authentication error occurs, the mobile device shows an error message that includes the error code. Errors are useful for troubleshooting, because you can look for the error code in the audit log.

In the mobile app, the user can also see token details. Make sure that the token details show these values:

  • Push Status — Registered
  • Time Reference — The correct time

If needed, the user can select the Sync Token option to resynchronize the time and status of a token with the server. This is necessary for authentication so that when the user approves a push or type an OTP, AuthPoint recognizes that the authentication happens in the allowed amount of time. If the time difference between the token timestamp and the server timestamp is too big, the user may not be able to authenticate.

For more information, see Sync Your Token.

Troubleshoot ADFS

To troubleshoot ADFS, you can find useful information in:

  • Event viewer on the computer where the ADFS Agent is installed
  • Audit logs in WatchGuard Cloud
  • ADFS log file on the AuthPoint Gateway
  • ADFS agent log file

Troubleshoot RD Web

The AuthPoint Agent for RD Web runs as a service on the RD Web server. Make sure the WatchGuard AuthPoint RD Web Core service is running.

Tools you can use to troubleshoot RD Web include:

  • IIS server log files — For information about user authentication to the RD Web portal
  • Event Viewer for Remote Desktop Services — For information about user connections to RD Web hosted resources
  • AuthPoint audit logs — For events for RD Web user authentication

Related Topics

AuthPoint Tips and Best Practices

Monitor AuthPoint

Quarantined Users

Test the Connection to an External Identity