Thread Info
  • State Not Answered
  • Replies 24 replies
  • Subscribers 7 subscribers
  • Views 1654355 views
  • Users 0 members are here
Options
Suggested

User Authenticated in Current Activities but not being used in Firewall/Web

Emile Belcourt

Hi all,

I have run into an issue wherein users are logging in via STAS and I can see them in the Current Activities screen but then they are being blocked because they are showing in the Log Viewer as unauthenticated. It's a really weird disconnect I've never seen before, authenticated but their auth seems to not be being passed to the other services or it's not being referenced.

I have rebuilt the node as originally it was a v17.1.3 upgraded so in case that was an issue I wiped and installed direct to v17.4.0-Beta2.

I have double and triple checked all auth configuration and is a pretty standard, almost basic, setup. 2 DCs, SSO Suite in the same group on STAS on XG, services are configured correectly, bobs your uncle.

If someone has seen this before or if this is a known issue in Jira for the next Beta/GA release could let me know? That'd be fab!

I haven't had a chance to trawl through the intense amount of logs yet for the access_server and awarrenhttp.

Emile

Parents
  • 0

    What does the output of "ipset -L lusers" show for the source address ? when a packet comes into the LAN, the firewall first looks to see if it knows any "stas" status on it, if it does not it sends of a query to the collector, the collector will try and wmi query or registry query the client, and based on the results of the query from the collector to the client it will pass back the results to the firewall. During the query time its a bit of a grace period where traffic is allowed until the query times out or the collector responds.

    the output of "ipset -L lusers" has 4 states: Learning, LearningRetry1, Unauthenticated. the other state is authenticated but it is indicated by the users numeric "id" being appended to the address within the output.

    Learning: the first state an unknown packet has arrived

    LearningRetry1: second attempt at correlating a user to ip

    Unauthenticated: the Learning and LearningRetry1 phase unsuccessful, source address traffic dropped for time period defined by "unauth-traffic" value. 

    It would be interesting to see what stas state your test system is in when you see the problem.

     

    Tom

  • 0 in reply to tomfarrell

    Hi Tom,

    Users are showing as authenticated and good to go which is what is really odd!

    I'm going through the logs today, and doing some config changes.

    Emile

  • 0 in reply to Emile Belcourt

    Tell a lie, I have just found a user which is showing as authed in Current Activities but when I do an ipset check on their IP it is showing as unauthenticated.

    Very odd! Any ideas of the cause?

    Emile

Reply Children
No Data
Unfiltered HTML