Users who are authenticated using AD SSO, why users cannot online on the FW?

70

For the installing AD SSO service program mode, possible causes and the troubleshooting procedure are as follows:
1.The login and logout scripts are incorrectly configured on an AD domain controller.
Check the login and logout scripts on the AD domain controller. The address and port in the login and logout scripts must be the IP address and port of the AD monitoring service.
2.The AD monitoring service is incorrectly configured.
Check the configuration of the AD monitoring service. The parameter settings of the AD monitoring service must be consistent with those on the FW.
3.The AD SSO configuration on the FW is incorrect.
Choose Object > User > Authentication Domain of the User > SSO Settings and verify that the shared key used during AD SSO is the same as that specified in the AD monitoring service.
4.Check the anti-replay time of the AD SSO service program. Ensure that the anti-replay time is not too short. Otherwise, the AD SSO service program may consider the user unauthorized and does not send the user's login information to the FW.
5.The number of online users reaches the upper limit.
Choose Object > User > Online User and check whether the number of online users reaches the upper limit.
For the monitoring AD authentication packets mode, possible causes and the troubleshooting procedure are as follows:
1.The AD SSO configuration on the FW is incorrect.
Choose Object > User > Authentication Domain of the User > SSO Settings to check whether the Server IP address/port in the AD SSO configuration is the same as that set on the AD server.
2.The number of online users reaches the upper limit.
Choose Object > User > Online User and check whether the number of online users reaches the upper limit.

Other related questions:
Why is a user not displayed as online on the RADIUS server after the user succeeds in authentication
The RADIUS server judges whether a user is online by the enabling of the accounting function rather than the success of authentication. If the user succeeds in authentication but does not perform accounting, the RADIUS server considers that the user is offline. Therefore, check whether the accounting function is correctly enabled in the scenario where the accounting function is applied.

Why is a user not displayed as Online on the RADIUS server after the user succeeds in S series switch authentication
In general, the RADIUS server identifies whether users are online by determining whether the accounting function is enabled rather than whether the user performs the authenticating operation. If a user succeeds in authentication but does not perform accounting, the RADIUS server considers that the user is offline. Therefore, check whether the accounting function is correctly enabled in the scenario where the accounting function is applied.

Why DHCP users go online through the S2700, but cannot access the Internet
When a large number of DHCP users go online through the S2700, the S2700 generates a large number of dynamic DHCP snooping binding entries. On the S2700 V1R6C00SPC800, the software provides incorrect priority settings for DHCP snooping binding entries and IP source guard and DAI ACL rules, and the ACL rules have a higher priority than DHCP snooping binding entries. As a result, the software delivers the ACL rules but not DHCP snooping binding entries. User packets cannot be forwarded because no binding entry is available. Solution: Install S2700SPH006, enable DHCP users to go online again, and reconfigure IP source guard and DAI on the physical interface from which DHCP users go online.

Why is IP address of 802.1x users not displayed when the display access-user command is used on the AR router
After users are authenticated and go online, The AR router obtains ARP packets and learns IP addresses of users. If users do not send any ARP packets, the AR router cannot learn or display users' IP addresses.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top