Troubleshooting user login to external authentication
Review these troubleshooting tips if you cannot log on to BMC Network Automation software while authenticating with TACACS, RADIUS, or Active Directory. One source of troubleshooting information is the server log file, located in the BCAN_DATA/log directory in file BCA-Networks.log.0. Many authentication problems are indicated by an
Invalid User Name or Password message at the logon page. The underlying problem might be better identified in the log file (such as the AAA server host name being unresolvable or the host being unreachable).
User login account exists in the AAA server database, but not in the application server database
The most common reason is that the user login account exists in the database of the AAA (TACACS, RADIUS, LDAP, Active Directory) server but not in the database of the BMC Network Automation application server.
Every user must be defined in BMC Network Automation in order to assign a role and group access privileges. When you install or upgrade the software and select a non-local authentication mode, you are prompted to enter an Admin User Name; ensure this account exists in your AAA server database and that you know its password.
The installer creates this user in the application server database with Administrator privileges. This is the account that gets the ball rolling; from there you can create your other user accounts.
You can also enable the Automatically Add New Users system parameter. When this parameter is enabled, BMC Network Automation automatically creates user accounts with the specified role when they are successfully authenticated by the AAA server.
Also, if you have switched from local authentication to using an AAA server, any user accounts created in BMC Network Automation remain and can be used, though these are now authenticated by the AAA server.
Incorrect admin user name entered during installation
If you believe you made a mistake in entering the Admin User Name at installation time, run the BMC Network Automation installer again and supply the right user name. Ensure your AAA server has the user account for the user you entered. To find out what you entered, run the installer and click Next without making changes until you reach the AAA parameters page (and Cancel out at this page after you have examined the information).
AAA server requires application server to be configured in its database
Another common reason, especially when using Cisco ACS, is that the AAA server requires each client to be configured somehow in its database in order for that client to be serviced. For example, in Cisco ACS, you must add the BMC Network Automation system as an AAA client under Network Configuration. In FreeRadius, you must add the BMC Network Automation system or its network to the clients.conf file.
AAA server is expecting a different authentication method
Another reason is thinking you want the system to use TACACS when the AAA server is expecting BMC Network Automation to use RADIUS (or the other way around). This is especially true for AAA servers like Cisco ACS where both are supported and you pick one or the other when you configure the client. Flipping between the two can be accomplished by running the installer and choosing the right authentication mode.
RADIUS servers rejecting client requests
A problem specific to RADIUS servers might be that the client must provide certain parameters when authenticating. For example, it might require a NAS-IP-Address or a NAS-Port. The server might reject seemingly correct client requests until these required parameters are filled in. You can supply these in the Other RADIUS Parameters field in the installer.
One RADIUS/TACACS parameter that usually causes no problems is the Authentication Type (PAP, CHAP, MSCHAP, and so on). Most servers support all of the options provided by BMC Network Automation, and there is no wrong choice. Server documentation tells you what is supported, and it is worth verifying your choice. If you are experiencing trouble, do not bother flipping around between these choices; it is usually something else that is the cause.
Application server does not start due to invalid self-signed certificate for LDAP or Active Directory server
If your LDAP or Active Directory server uses a self-signed certificate, and you have chosen to enable SSL for authentication, and after install the application server does not start with some exception related to an invalid certificate in the log file, perform the following steps:
- Export the self-signed certificate from your LDAP or Active Directory server to the application server by doing the following:
- Navigate to this website http://www.ldapadmintool.com and download the LDAP Admin Tool. Install it on any computer with a network connection to the BMC Network Automation Server.
- In the LDAP Admin Tool Connection tab, select the SSL check box and specify the host name and SSL Port.
- If a warning message displays asking you whether you want to accept the certificate, it means the LDAP or Active Directory server is using a self-signed certificate. Accept the certificate.
- If a connection is not established, the problem stems from one or both of the following conditions:
- The SSL port is not enabled. You need to enable it.
- The LDAP or Active Directory SSL certificate needs to be generated. To learn how to do this, see Microsoft Knowledge Base article 321051 at http://support.microsoft.com/kb/321051.
- Download and import the certificate by doing the following:
- In the LDAP Admin Tool, navigate to Security > Manage Trusted Server Certificates.
- Select the certificate that you accepted, and then click View Certificate.
- In the Certificate window, click Copy to File and download the certificate to a location: Location of certificate.
- Import the downloaded self-signed certificate to your JAVA_HOME key store by executing the following command:
$INSTALLATION_DIR/java/bin/keytool -import -keystore $INSTALLATION_DIR/java/lib/security/cacerts -trustcacerts -file
- Restart the Tomcat service.
- Use a web browser to verify that you can log on to the BMC Network Automation system.
- Open this file: BCAN_HOME/BcanInstalledConfiguration.xml. Modify the following installation properties:
- Set the value for
- Set the value for
AUTHENTICATION_PORTto SSL port.
- Set the value for