HP-UX AAA Server A.08.02 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX AAA Server (RADIUS) Software

361

362

363

364

365

366

367

368

369

370

Table 102 Common Authentication Failure Problems (continued)

TroubleshootingProblem

Check the tokens table in the SQL database to check that the shared secret

is configured for that user.

Resolution

Incoming OTP length for user <user name> in realm <realm name> is

less than the minimum OTP token length <number>. The incoming OTP

length must be <number>.

Log MessageUnable to

authenticate

The password entered by the user is less than the configured OTP length.Cause

Verify that the user has sent the correct OTP value.Resolution

EAP Problems

Compare the error messages recorded in the logfile to those in Table 103 and perform the

corresponding corrective actions.

Table 103 EAP Problems

TroubleshootingProblem

Invalid EAP type '<invalid>' specified for the user '<user name>'

for realm '<realm name>'. Verify the EAP type configured for the

Log MessageInvalid EAP type specified

realm 'example.com' in the appropriate authfile in '/etc/opt/aaa'.

Or, verify the EAP configuration in the Local Realms screen in

Server Manager.

The EAP type specified in the request does not match the EAP type

configured for the realm.

Cause

Configure the supplicant to use the EAP type specified for the

affected realm.

Solution

You can access the realm configuration using the Local Realm

screen in the Server Manager administration utility. See Chapter

8, Configuring Realms on page 97 for more information.

ProcessHandshake TLS: AAA Server generated TLS

alert:'unknown_ca'. The certificate was not accepted. The CA

Log MessageUnable to authenticate

certificate could not be located or matched with a known trusted

CA.

The CA certificate for the client’s certificate is not found in the

HP-UX AAA Server.

Cause

Configure the client to use a certificate whose CA is specified on

the HP-UX AAA Server.

Solution

1. Navigate to the Certificates screen under Server Properties in

the Server Manager administration utility.

2. Specify a fully qualified filename in the .pem format. This file

must contain one of more CA certificates used to authenticate

client certificates in the Client Certificate Authority Path field.

If the path exists, ensure that it contains the client’s CA

certificate.

Save the configuration to the HP-UX AAA Server and restart it.

ProcessHandshake TLS: AAA Server generated TLS alert:

'certificate_expired'. Verify the validity of the user and CA

certificates.

Log Message

The client or supplicant certificate has expired.Cause

Advise the user to acquire a new certificate from the administrator

or ISP, and retry authentication.

Solution

368 Troubleshooting Procedures