cancel
Showing results for 
Search instead for 
Did you mean: 

NO ROLES ASSIGNED

zanyterp_
Respected Contributor

Re: NO ROLES ASSIGNED

you would put a filter at the top for ip.addr eq n.n.n.n (replacing that with the IP of your domain controller) to see what the duration of communication is or if you can see timeouts there as well, matching what the IVE reports

kanorro_
Contributor

Re: NO ROLES ASSIGNED

i have done that but i dont appreciate anything strange Smiley Sad

i dont think its a communication problem because its works with any rules and users.

zanyterp_
Respected Contributor

Re: NO ROLES ASSIGNED

OK; thank you for checking.

Unfortunately, there is a timeout happening when connecting for some reason on the failing scenario. While that is happening, the group membership will fail.

How many users are in that group?

Is the user a member of many groups or just the one?

kanorro_
Contributor

Re: NO ROLES ASSIGNED

there are 3 users in that group and its work correctly with all the users until i add a rule for other group or user.

the users belong to several groups

kanorro_
Contributor

Re: NO ROLES ASSIGNED

InfoAUT234572012-01-19 21:25:16 - MAG1 - [89.**********] C**********\vasco(Active Directory + Vasco OTP)[] - Login failed. Reason: NoRoles
InfoAUT243262012-01-19 21:25:16 - MAG1 - [**********] **********\vasco(Active Directory + Vasco OTP)[] - Secondary authentication successful for **********\vasco/IDENTIKEY from 89.129.234.172
InfoAUT232782012-01-19 21:25:16 - MAG1 - [8**********] C********\vasco(Active Directory + Vasco OTP)[] - Password realm restrictions successfully passed for **********\vasco/Active Directory + Vasco OTP
InfoAUT243262012-01-19 21:22:46 - MAG1 - [8**********] ***********\vasco(Active Directory + Vasco OTP)[] - Primary authentication successful for *********\vasco/Active Directory CyC from 89.129.234.172
kanorro_
Contributor

Re: NO ROLES ASSIGNED

i think this is my problem http://kb.pulsesecure.net/InfoCenter/index?page=content&id=KB22403&cat=ssl_vpn&actp=LIST

i have installed version 7.1R5.

i have 2 junipers ACTIVE/PASIVE. the first one is working correctly but the second cant reachable the AD (i think i have to open ports in the firewall) maybe for this reason this is happening??? i dont think so because the main is working OK with the AD.

THANKS

zanyterp_
Respected Contributor

Re: NO ROLES ASSIGNED

The message is the same; but because you are on 7.1R5 my expectation is that the root cause is different.

Though, yes, if your secondary device cannot connect to the AD then there will be problems logging in because the connection to the domain controller will fail

kanorro_
Contributor

Re: NO ROLES ASSIGNED

ill try to open the ports in the firewall tomorrow.

Yes but the secondary device is not being used (PASIVE)

I have to solve this error before wednesday Smiley Sad

THANKS

zanyterp_
Respected Contributor

Re: NO ROLES ASSIGNED

OK; I thought that was noted as you were logging in directly to the second node for your testing and it is failing. Sorry  for misunderstanding. Smiley Sad

 

Can you send me the TCP dump and your server IPs through a private message to look at as well? I know you will be working with support tomorrow, but I would like to try and see if I can spot anything.

kanorro_
Contributor

Re: NO ROLES ASSIGNED

i dont think i can give you this information. sorry.