HP-UX AAA Server A.08.02 Administrator's Guide
Table 102 Common Authentication Failure Problems (continued)
TroubleshootingProblem
The HP-UX AAA Server is not able to resynchronize the sequence counter
as the OTP in the request is incorrect. This can happen because of one of
the following reasons:
Cause
• The OTP is out of synchronization beyond the value configured in
OTP-Lookup-Window.
• The length of the OTP does not match the configured value.
• The OTP is incorrect (wrongly entered by the user).
• The shared secret to be used to generate OTP may not be in the binary
format.
Validate the OTP using the User Database Administration tool. You can
also check if the OTP-Token-Length for the user is correct. In addition,
you can check if the user has correctly entered the OTP.
Resolution
Verify that you have used the
AAAConvertandSetHexToBinaryString()conversion function or
your own conversion function to convert the shared secret to binary.
Configured OTP token length for user <user name> in realm <realm
name> is less than 6. The valid OTP token length is either 6, 7 or 8. Verify
that the configured token length is valid
Log MessageUnable to
authenticate
Or
Configured OTP token length for user <user name> in realm <realm
name> is greater than 8. The valid OTP token length is either 6, 7 or 8.
Verify that the configured token length is valid"
The OTP is wrongly configured in the OTP-Token-Length attribute or
in the otp_token_length system-wide configuration item.
Cause
Check the value of the OTP-Token-Length attribute in the user profile,
in the request-ingress.grp file, or in the aaa.config file. For more
information, see “Attributes for Configuring OTP Authentication” (page 137).
Resolution
Invalid OTP Action Id. The OTP Action Id set through the bit mask for user
<user name> in realm <realm name> is zero. The valid OTP Action
Id value is range from 1 to 127. Configure the valid OTP Action Id.
Or
Log MessageUnable to
authenticate
Invalid OTP Action Id. The OTP Action Id set through the bit mask for user
<user name> in realm <realm name> is negative. The valid OTP Action
Id value is range from 1 to 127. Configure the valid OTP Action Id.
Or
Invalid OTP Action Id. The OTP Action Id set through the bit mask for user
<user name> in realm <realm name> is greater than the maximum
OTP Action Id value 127. The valid OTP Action Id value is range from 1
to 127. Configure the valid OTP Action Id.
An invalid OTP action is configured in the request-ingress.grp file.Cause
Check the configuration in the request-ingress.grp file. The value
for the OTP Action must be between 1 and 127. For more information on
Resolution
OTP authentication configuration, see “Advanced OTP Authentication
Configuration Concepts” (page 134).
The token for user <user name> in realm <realm name> is not active.
HP-UX AAA Server validates the OTP only for active tokens. Verify the
token status in the token repository.
Log MessageUnable to
authenticate
Or
The token with serial number <serialnumber> for user <user name>
in realm <realm name> is not active. The current token status is
366 Troubleshooting Procedures