Troubleshoot RADIUS Server Integration Errors
The best way to troubleshoot a failed login is to test the settings in the security provider's configuration page. The section below helps you to understand the messages you may receive.
If testing a username and password from the Security Providers page provides no errors but the user cannot log into BeyondTrust using those same credentials, please check that at least one of the following sets of criteria is met.
- The user has been expressly added to an existing group policy.
- A default group policy has been set for the security provider configuration created to access the server against which the user is authenticating.
- The user is a member of a group that has been expressly added to an existing group policy, and both user authentication and group lookup are configured and linked.
Message 1: Authentication Failed
- The username and password that you are testing do not match.
- Reenter the credentials or attempt another username and password.
Message 10: Server Unavailable
- Your DNS information may be incorrect. You can test if your DNS server resolves by using the tools on the Support > Utilities page in your BeyondTrust /appliance interface.
- You must use the correct shared secret between RADIUS and your BeyondTrust Appliance.
- If a user who can normally authenticate cannot connect, check if the user's hours are restricted on the RADIUS server.
- If you are using an IAS server, the user authenticating must have remote access permission enabled.
- Authentication via PAP must be enabled. This is the only RADIUS method currently supported by BeyondTrust. Edit your IAS policy and ensure that this method is supported as a means of authenticating via the BeyondTrust Appliance.
Error 6ca and Slow Logins
- A 6ca error is a default response signifying that the BeyondTrust Appliance has not heard back from the DNS server. It may occur when attempting to log into the representative console.
- If users are experiencing extremely slow logins or are receiving the 6ca error, verify that DNS is configured in your /appliance interface.
Troubleshooting Individual Providers
When configuring an authentication method tied to group lookup, it is important to configure first user authentication, then group lookup, and finally group policy memberships. When troubleshooting, you will want to work in reverse.
- Verify that the group policy is looking up valid data for a given provider and that you do not have any @@@ characters in the Policy Members field.
- Next, if a group provider is configured, verify that its connection settings are valid and that its group Search Base DN is in the proper format.
- If you want to use group lookup, verify that the security provider is set to look up group memberships of authenticated users.
- To test the user provider, set a default policy and see if your users are able to log in.