HP-UX AAA Server A.08.02.10 Administrator's Guide HP-UX 11i v3 (T1428-90093, November 2013)
Table 102 Common Authentication Failure Problems (continued)
TroubleshootingProblem
Manually edit the /etc/opt/aaa/dictionary file and add the attribute
<attribute>.
Solution
Sequence counter resynchronization failed for user <user name> in realm
<realm name> after <number> unsuccessful OTP validations. The last
sequence counter attempted is <number>.
Log MessageUnable to
authenticate
The HP-UX AAA Server is not able to resynchronize the sequence counter
as the OTP in the request is incorrect. This can happen because of one of
the following reasons:
Cause
• The OTP is out of synchronization beyond the value configured in
OTP-Lookup-Window.
• The length of the OTP does not match the configured value.
• The OTP is incorrect (wrongly entered by the user).
• The shared secret to be used to generate OTP may not be in the binary
format.
Validate the OTP using the User Database Administration tool. You can
also check if the OTP-Token-Length for the user is correct. In addition,
you can check if the user has correctly entered the OTP.
Resolution
Verify that you have used the
AAAConvertandSetHexToBinaryString()conversion function or
your own conversion function to convert the shared secret to binary.
Configured OTP token length for user <user name> in realm <realm
name> is less than 6. The valid OTP token length is either 6, 7 or 8. Verify
that the configured token length is valid
Log MessageUnable to
authenticate
Or
Configured OTP token length for user <user name> in realm <realm
name> is greater than 8. The valid OTP token length is either 6, 7 or 8.
Verify that the configured token length is valid"
The OTP is wrongly configured in the OTP-Token-Length attribute or
in the otp_token_length system-wide configuration item.
Cause
Check the value of the OTP-Token-Length attribute in the user profile,
in the request-ingress.grp file, or in the aaa.config file. For more
information, see “Attributes for Configuring OTP Authentication” (page 138).
Resolution
Invalid OTP Action Id. The OTP Action Id set through the bit mask for user
<user name> in realm <realm name> is zero. The valid OTP Action
Id value is range from 1 to 127. Configure the valid OTP Action Id.
Or
Log MessageUnable to
authenticate
Invalid OTP Action Id. The OTP Action Id set through the bit mask for user
<user name> in realm <realm name> is negative. The valid OTP Action
Id value is range from 1 to 127. Configure the valid OTP Action Id.
Or
Invalid OTP Action Id. The OTP Action Id set through the bit mask for user
<user name> in realm <realm name> is greater than the maximum
OTP Action Id value 127. The valid OTP Action Id value is range from 1
to 127. Configure the valid OTP Action Id.
An invalid OTP action is configured in the request-ingress.grp file.Cause
Check the configuration in the request-ingress.grp file. The value
for the OTP Action must be between 1 and 127. For more information on
Resolution
OTP authentication configuration, see “Advanced OTP Authentication
Configuration Concepts” (page 135).
Troubleshooting the HP-UX AAA Server 367