Hallo,
in einer XG 115 mit der Software 18.5.1 MR-1-Build326 habe ich unter Authentication/User mehrere Benutzer eingetragen, lediglich der Eintrag, der mit einer älteren Firmware erfasst wurde, ist in der Lage, sich noch per SSL anzumelden. Alle Benutzer, die jetzt eingetragen werden, werden mit AUTH-Fehlern abgewiesen, können sich also nicht anmelden. Ich habe alle Einträge verglichen, sie sind bis bei den relevanten Einträgen identisch. Die einfachen LOG-Einträge lauten ‚reason="wrong credentials", mit den gleichen Zugangsdaten kann ich mich aber z.B. über das Userportal anmelden.
Im Forum fand ich zur Fehlerdiagnose folgende Einträge:
Select Option 5 (Device Management) > Option 3 (Advance Shell)
Run this command to put the access_server service in debug:
• service access_server:debug -d -s nosync
Once you capture the access_server logs in debug, run the same command to put access_server service in normal running mode.
Run this command to check service status :
• service -S | grep access_server
SFVUNL_VM01_SFOS 17.5.11 MR-11# service -S | grep access_server
access_server RUNNING,DEBUG
Über den Befehl ‚tail –f /log/access_server.log konnte ich den folgenden Fehler extrahieren:
ERROR Oct 22 19:49:30.431855 [access_server]: pg_db_handle_check_crt_fingerprint: row count: 1 value 0
DEBUG Oct 22 19:49:30.431868 [access_server]: pg_db_submit_response: Request Processed: res_type=-1
WARNING Oct 22 19:49:30.431881 [access_server]: (check_crt_fingerprint): wrong fingerprint for user test1
DEBUG Oct 22 19:49:30.431893 [access_server]: (send_pam_response): resp_code =3, clienttype=13, message='Login failed. Wrong fingerprint of certificate.'
DEBUG Oct 22 19:49:30.431905 [access_server]: send_pam_response: message:'Login failed. Wrong fingerprint of certificate.', len:47, data:'Login failed. Wrong fingerprint of certificate.'
Der mit einer anderen Firmware-Version angelegte User 'test' kann sich mit dem gleichen Zertifikat problemlos anmelden. Was hat sich mit den neueren Firmware-Versionen geändert, daß neuere User-Einträge sich nicht mehr verbinden können oder wie kann ich diese Fehler verhindern?
Ich bin für jeden Tipp dankbar.
Freundliche Grüße
Gerd Beckmann
Hi there,
In an XG 115 with the software 18.5.1 MR-1-Build326 I entered several users under Authentication / User, only the entry that was entered with an older firmware is still able to log in via SSL. All users who are now entered are rejected with AUTH errors, so they cannot log in. I compared all entries, they are identical except for the relevant entries. The simple LOG entries are 'reason = "wrong credentials", but I can log in with the same access data, e.g. via the user portal.
In the forum I found the following entries to diagnose errors:
Select Option 5 (Device Management) > Option 3 (Advance Shell)
Run this command to put the access_server service in debug:
• service access_server:debug -d -s nosync
Once you capture the access_server logs in debug, run the same command to put access_server service in normal running mode.
Run this command to check service status :
• service -S | grep access_server
SFVUNL_VM01_SFOS 17.5.11 MR-11# service -S | grep access_server
access_server RUNNING,DEBUG
Using the command 'tail –f /log/access_server.log I was able to extract the following error:
ERROR Oct 22 19:49:30.431855 [access_server]: pg_db_handle_check_crt_fingerprint: row count: 1 value 0
DEBUG Oct 22 19:49:30.431868 [access_server]: pg_db_submit_response: Request Processed: res_type=-1
WARNING Oct 22 19:49:30.431881 [access_server]: (check_crt_fingerprint): wrong fingerprint for user test1
DEBUG Oct 22 19:49:30.431893 [access_server]: (send_pam_response): resp_code =3, clienttype=13, message='Login failed. Wrong fingerprint of certificate.'
DEBUG Oct 22 19:49:30.431905 [access_server]: send_pam_response: message:'Login failed. Wrong fingerprint of certificate.', len:47, data:'Login failed. Wrong fingerprint of certificate.'
The user 'test' created with a different firmware version can log in with the same certificate without any problems. What has changed with the newer firmware versions that newer user entries can no longer connect or how can I prevent these errors?
I am grateful for every tip.
regards
Gerd Beckmann
This thread was automatically locked due to age.