This article introduces how to locate gateway login and logout records in ns.log to monitor authentication success/failure for each user.
Instructions
Below are some examples:
Scenario1: User "staff2" failed to login due to incorrect password
- Find keyword "AAA LOGIN_FAILED" to located ns.log. Note the highlight words for login information:
Jun 14 10:54:40 <local0.debug> <nsip> 06/14/2022:10:54:40 ns 0-PPE-0 : default AAA Message 207016 0 : "AAA LOGIN REQ: parsed data; username: <staff2>, pwdlen <Non-Zero>, pwdlen2 <Non-Zero>, flags: <0x40000>, flags3: <0x0>"
Jun 14 10:54:40 <local0.info> <nsip> 06/14/2022:10:54:40 ns 0-PPE-0 : default SSLVPN Message 207020 0 : "AAAD API: aaad_authenticate_req: sending login req to aaad for <staff2>, factor <>, auth type 0, trans id 4271"
Jun 14 10:54:40 <local0.info> <nsip> 06/14/2022:10:54:40 ns 0-PPE-0 : default AAATM Message 207025 0 : "AAAD RESP: received resp,user: <staff2>, factor: <>, trans id 4271, pcb trans id 4271, q_flags 1342210048 aaad-resp 3 aaad-flags 1000"
Jun 14 10:54:40 <local0.info> <nsip> 06/14/2022:10:54:40 ns 0-PPE-0 : default AAA Message 207026 0 : "In update_aaa_cntr: Failed policy for user staff2 = LDAP_Auth_Policy"
Jun 14 10:54:40 <local0.warn> <nsip> 06/14/2022:10:54:40 ns 0-PPE-0 : default AAA LOGIN_FAILED 207028 0 : User staff2 - Client_ip <Client_ip_address> - Failure_reason "External authentication server denied access" - Browser Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36
Jun 14 10:54:40 <local0.info> <nsip> 06/14/2022:10:54:40 ns 0-PPE-0 : default AAA Message 207030 0 : "Authentication is rejected for staff2 (client ip : <Client_ip_address> , vserver ip: <vserver_ip_address> ), extended error, if any : "
Scenario2: User "staff3" succeed to login access gateway and logoff after a while:
- AAA login and SSO to storefront
- Note the highlight words for login information:
Jun 14 11:01:26 <local0.debug> <nsip> 06/14/2022:11:01:26 ns 0-PPE-0 : default AAA Message 209275 0 : "AAA LOGIN REQ: parsed data; username: <staff3>, pwdlen <Non-Zero>, pwdlen2 <Non-Zero>, flags: <0x40000>, flags3: <0x0>"
Jun 14 11:01:26 <local0.info> <nsip> 06/14/2022:11:01:26 ns 0-PPE-0 : default SSLVPN Message 209279 0 : "AAAD API: aaad_authenticate_req: sending login req to aaad for <staff3>, factor <>, auth type 0, trans id 4497"
Jun 14 11:01:27 <local0.info> <nsip> 06/14/2022:11:01:27 ns 0-PPE-0 : default AAATM Message 209284 0 : "AAAD RESP: received resp,user: <staff3>, factor: <>, trans id 4497, pcb trans id 4497, q_flags 1342210048 aaad-resp 2 aaad-flags 1"
Jun 14 11:01:27 <local0.info> <nsip> 06/14/2022:11:01:27 ns 0-PPE-0 : default AAA Message 209285 0 : "In update_aaa_cntr: Succeeded policy for user staff3 =LDAP_Auth_Policy"
Jun 14 11:01:27 <local0.debug> <nsip> 06/14/2022:11:01:27 ns 0-PPE-0 : default AAATM Message 209286 0 : "(0-20) extracted SSOusername: staff3@test.com for user staff3"
Jun 14 11:01:27 <local0.debug> <nsip> 06/14/2022:11:01:27 ns 0-PPE-0 : default AAATM Message 209286 0 : "(0-20) extracted SSOusername: staff3@test.com for user staff3"
Jun 14 11:01:27 <local0.info> <nsip> 06/14/2022:11:01:27 ns 0-PPE-0 : default AAATM Message 209291 0 : "AAAD RESP: received resp,user: <staff3>, factor: <>, trans id 4497, pcb trans id 4497, q_flags 1342210048 aaad-resp 2 aaad-flags 2"
- Find keyword "SSLVPN LOGIN" to locate ns.log. Note the highlight words for login information. According to ns.log, you can see session ID is 20, username is staff3, client IP is <Client_ip_address>,and gateway IP is <vserver_ip_address>. Login method is ICA proxy.
Jun 14 11:01:27 <local0.info> <nsip> 06/14/2022:11:01:27 ns 0-PPE-0 : default SSLVPN LOGIN 209310 0 : Context staff3@<
client_ip_address> - SessionId: 20 - User staff3 - Client_ip <Client_ip_address> - Nat_ip "Mapped Ip" - Vserver <vserver_ip_address>:<Port> - Browser_type "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.0.0 Safari/537.36" - SSLVPN_client_type ICA - Group(s) "N/A"
- After clicking logoff icon in the upper right corner of storefront, the log will print logout record, including the login duration. Please find keyword "SSLVPN LOGOUT" to located ns.log.
Jun 14 11:01:35 <local0.info> <nsip> 06/14/2022:11:01:35 ns 0-PPE-0 : default SSLVPN LOGOUT 210119 0 : Context staff3@<
client_ip_address> - SessionId: 20 - User staff3 - Client_ip <client_ip_address> - Nat_ip "Mapped Ip" - Vserver <vserver_ip_address>:<Port> - Start_time "06/14/2022:11:01:27 " - End_time "06/14/2022:11:01:35 " - Duration 00:00:08 - Http_resources_accessed 0 - NonHttp_services_accessed 0 - Total_TCP_connections 59 - Total_UDP_flows 0 - Total_policies_allowed 59 - Total_policies_denied 0 - Total_bytes_send 0 - Total_bytes_recv 612250 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - LogoutMethod "Explicit" - Group(s) "N/A"
Scenario3: User "staff3" succeed to logon SSL VPN
- Find keyword "SSLVPN LOGIN" to located ns.log. Note the highlight words for login information:
Jun 17 13:21:00 <local0.info> <nsip> 06/17/2022:05:21:00 GMT 0-PPE-0 : default SSLVPN LOGIN 1407620 0 : Context administrator@<
client_ip_address> - SessionId: 100381 - User administrator - Client_ip <c lient_ip_address> - Nat_ip <SNIP>- Vserver <vserver_ip_address>:<Port> - Browser_type "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; AGEE 8.0;) NAC/1.0 plugin 12.1.60.19 " - SSLVPN_client_type Agent - Group(s) "N/A"
Client type is "Agent". Other AAA login processes are same with scenario2.