Users cannot authenticated through idManager

  • 4
  • Question
  • Updated 8 months ago
Hi there,

the 10th of december morning, new users couldn't authenticate using IDManager, We've checked the authentication logs. and see Reject reason: locking all the time.

Later, in the afternoon, the same users could auth. normally.

Locking reason appears all days, even when users can access succesfully without problems. ¿What is the meaning of "Locking"?

I think the issue was a temporary down state of the server that authentecates users.

From the 10th, it don't happen again.

Thank you all.
Photo of Raúl

Raúl

  • 13 Posts
  • 0 Reply Likes

Posted 2 years ago

  • 4
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi Raúl,

Locking refers to a means of enforcing mutual exclusion when reading or writing to resources.

Think of it as being a synchronisation mechanism for enforcing limits on access to resources in an environment where concurrency takes place.

I suspect that a database was having some backend task or maintenance performed on it, meaning that locks repeatedly couldn't be acquired by ID Manager. After a retry threshold had been met, something like a timeout and/or n attempts, the operations necessary to authenticate a user would fail.

Cheers,

Nick
(Edited)
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
This was something I wrote before I was an Aerohive employee. It is not correct for this issue.
Photo of Raúl

Raúl

  • 13 Posts
  • 0 Reply Likes
Thank you Nick,

so, it seems like it are runing backend task all the time, isn't it? Locking logs is listed again and again...

 

This capture is from now and users can auth without problems (i have no notice about, incorrect pass or guest account expirated are not matter).
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
You may want to explore this issue with a support case via your point of support.

The locking error could be for other reasons, like a repeated attempt to authenticate when a previous attempt is still pending.

It could refer to an account or client lock, and be nothing to do with synchronisation locking at all.
(Edited)
Photo of Raúl

Raúl

  • 13 Posts
  • 0 Reply Likes
Thank you again. I'll open a case to deal with support. I'll post the resolution here for everyone (if i remember to do it :))
Photo of Fahad Tariq

Fahad Tariq

  • 1 Post
  • 1 Reply Like
A client machine gets locked after 4 failed attempts to enter a correct password within 6 minutes. Once locked, the client machine can connect again after an hour. Please keep in mind that the MAC Address of the client machine will be locked, not the Key itself.
(Edited)
Photo of Paul

Paul

  • 4 Posts
  • 0 Reply Likes
That's unfortunate. This has become a major issue so we may be forced to look elsewhere on our next upgrade.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi all,

This is a known issue. You cannot unlock a client once it has been locked and you need to wait an hour for it to become unlocked.

The best option currently is to disable wireless and forget the SSID. Wait for just over an hour and connect again, making sure that the PPSK is valid.

Where a PSK is invalid and a device attempts to authenticate successively, IDM will lock the MAC address for around an hour. If the device has the SSID remembered with an invalid PSK, it will keep trying causing the account to be locked again.

We hear you and we are exploring a mechanism to allow users to query the IDM database to establish locked accounts with the ability to then unlock them. I cannot share more details at present but please be assured that this is not falling on deaf ears.

Thanks,

Nick
Photo of Paul

Paul

  • 4 Posts
  • 0 Reply Likes
The unchangeable, mandatory time limit of 1 hour is a bit ridiculous. If a customer comes in for a meeting and gets locked out they're basically SOL for the duration of the meeting at that point. Upper management was less than pleased last time this happened.

If we had some control over the lockout time limit that would give us enough control to at least solve these situations when they arise.
Photo of Chris B

Chris B, Official Rep

  • 93 Posts
  • 10 Reply Likes
Hi Paul

As Nick mentions above, we do have a feature request raised internally to change this behaviour, we do hear you and understand the problem, and I do hope it will be implemented soon into IDM.  Unfortunately what is mentioned above is the best course of action in the interim.

Chris
Photo of Paul

Paul

  • 4 Posts
  • 0 Reply Likes
That really isn't an option if we have a vendor or sales meeting with someone who has been here before and ends up getting locked out. 
Photo of Tanner Lansky

Tanner Lansky

  • 3 Posts
  • 0 Reply Likes
We are experiencing the same issue. However, we are also noticing that guests who have never been on our network before come in and try to use a new key we generate with ID Manager and it will say failed to authenticate and on ID Manager the log will have the clients MAC and will say locking. At first we suspected typos so we entered the password for other new guests that came in and ensured we were typing it right and it still said authentication failed and said locking. To mitigate the issue we realized that if we just generate 2-3 more keys one of the new keys will eventually work for that client. We understand that if it is a returning guest that did not forget the network will automatically try to authenticate till they get the 1 hour lockout, but these are new guests with new keys that are getting locked out. We do not know what is causing this issue. Has anyone else experienced this?
Photo of John Kahl

John Kahl

  • 3 Posts
  • 1 Reply Like
I have been fighting these issues for over two years and it has never gotten any better.    Aerohive Fired the clown that managed the IDM team and it now seems that there is no advancements made with IDM at all.   I would suggest steering clear of IDM if you want to retain your sanity.
Photo of John Kahl

John Kahl

  • 3 Posts
  • 1 Reply Like

I would also add that Locking was added due to clients with expired keys continuously requesting authentication,   in order to prevent  IDM server overload the team added the locout feature to ignore the expired client request in the hopes of improving the database performance.

Clearpass  $

Packetfence  Free

There are many others to choose from.


Photo of Tanner Lansky

Tanner Lansky

  • 3 Posts
  • 0 Reply Likes
So we had another wireless mishap today at our corporate office. we had 15+ users come in for training and our front desk guard generated a guest passkey for all of them as usual. As I stated in my post above, this was going to cause issues with locking accounts and angry clients. With that being said, sure enough, only 4 of the 15+ users could connect. Cue angry clients... Then we noticed that out of the 15+ Accounts created, only 6 of them were actually created in ID manager. We generated 15+ guest accounts with passkeys and they printed out as they normally do they just were not validated or showing up through ID manager. So we had to go through and create 11+ more keys and noticed that again only about 9 new accounts actually showed up in ID manager and all 9 were able to connect with no problem. So now we had 2-3 more users that could not connect even though now they have 2 different printed credentials. We created more accounts and they showed up in ID manager so they were able to connect no problem. Is this an issue with ID manager? Do we have something misconfigured? We assume this is why people have been getting locked out of the system even though they are not returning guests that forgot to forget the network before returning. This is the only time we noticed this happening but we will keep a close eye on this next time an issue arises.
Photo of Tanner Lansky

Tanner Lansky

  • 3 Posts
  • 0 Reply Likes
So it turns out our front desk guard who creates the wireless accounts for our guests kept using his email for creating the guests. This meant that every time he created a new guest, it would say something along the lines of "there is already an account associated with the email:email@email.com. Would you like to recreate the credentials?Right when you click confirm it would immediately revoke and remove the credentials of the previous guest created and produce a new guest account. We were able to disable the email requirement when creating a guest, but we are still having this issue when creating a group. I am currently working with the support team to find a way to work around this. I will post an update if we find a solution.
Photo of Alex Noyes

Alex Noyes

  • 5 Posts
  • 0 Reply Likes
Did you ever hear back on this Tanner?