Request Demo
Features Use Cases About Documentation Contact Request Demo

Common Issues

Solutions to frequently encountered problems

Connection Issues

No response from RADIUS server

Symptoms: Authentication times out, NAC Tracer shows no requests

Check:

  • Firewall rules - UDP 1812/1813 must be open to Warden
  • Warden is running and healthy (check system status)
  • Network device can reach Warden's IP (try ping)
  • The host is configured in Warden with the correct IP
  • If NAT is involved, the source IP might be translated

"Unknown host" errors

Symptoms: NAC Tracer shows "Host not found"

Check:

  • The device's actual source IP (may differ from management IP)
  • Host is configured in Warden with correct IP or IP range
  • If using host groups, verify the IP falls within the range
  • Try a packet capture to see the actual source IP

Shared secret mismatch

Symptoms: Requests arrive but always fail, "malformed packet" in logs

Check:

  • Copy-paste the secret to both sides (don't retype)
  • Watch for trailing spaces or hidden characters
  • Some devices have character limits on secrets
  • Secrets are case-sensitive

Authentication Failures

User not found

Symptoms: Valid user rejected with "user not found"

Check:

  • Username format matches what the directory expects
  • The identity provider is in the policy's authentication chain
  • Connection to identity provider is working (test connection)
  • User base DN in LDAP config includes the user's location
  • User filter doesn't exclude the user

Password rejected but is correct

Symptoms: User exists but password always fails

Check:

  • If 2FA is enabled, user might need to append/prepend their code
  • Account might be locked in the identity provider
  • Password might have expired
  • Special characters in password might be mishandled
  • For LDAP: bind credentials for Warden's service account

Authenticated but access denied

Symptoms: Credentials accepted but still rejected

Check:

  • Policy access rules - user might not be in allowed groups
  • Time restrictions - access might be limited to certain hours
  • User account might be disabled in Warden
  • Check NAC Tracer for which specific rule denied access

2FA Problems

2FA code always invalid

Symptoms: TOTP codes never work

Check:

  • Device clock sync - TOTP requires accurate time (within 30 seconds)
  • User is using the correct authenticator app entry
  • Code position matches config (append vs prepend)
  • User isn't confusing the 2FA secret with the code itself

Push notification times out

Symptoms: Auth fails before push can be approved

Check:

  • Most common: Timeout too short - set to 60+ seconds
  • Configure timeout on both Warden AND the network device
  • Set retries to 1 (multiple retries = multiple pushes)
  • User's phone has network connectivity
  • MFA app has notification permissions

Push never arrives

Symptoms: User never receives the push notification

Check:

  • User's phone has internet connectivity
  • App has notification permissions enabled
  • User is registered for MFA with the provider
  • Check the external provider's status (Duo, Azure, etc.)
  • Review Warden logs for errors from the MFA provider

VLAN Assignment Issues

User lands on wrong VLAN

Symptoms: Authenticated but wrong network access

Check:

  • NAC Tracer shows which VLAN was returned
  • User's group membership - VLANs are often group-based
  • Response attributes at policy vs group level
  • Network device is configured to honor RADIUS VLAN attributes

VLAN not applied

Symptoms: Correct attributes returned but VLAN unchanged

Check:

  • All three Tunnel-* attributes are being sent (Type, Medium-Type, Private-Group-ID)
  • VLAN exists on the network device
  • VLAN is allowed on the port/interface
  • Network device is configured for dynamic VLAN assignment
  • Some devices require specific attribute formats

Identity Provider Issues

LDAP connection fails

Symptoms: Can't connect to directory

Check:

  • LDAP server is reachable from Warden (try Test Connection)
  • Port is correct (389 for LDAP, 636 for LDAPS)
  • For LDAPS: Warden trusts the server's certificate
  • Bind credentials (service account) are valid
  • Firewall allows the connection

Certificate errors with LDAPS

Symptoms: TLS/SSL handshake fails

Check:

  • Import the LDAP server's CA cert into Warden's trust store
  • Certificate hasn't expired
  • Certificate hostname matches connection hostname
  • Certificate chain is complete

Users found but groups empty

Symptoms: Auth works but group-based rules fail

Check:

  • Group membership attribute is configured correctly
  • Service account has permission to read group membership
  • For nested groups: nested group lookup is enabled if needed
  • Group sync is configured and running

Still Stuck?

If you can't resolve the issue:

  1. Export a NAC Tracer capture of the failing authentication
  2. Note the exact error message and when it occurs
  3. Document what you've already tried
  4. Contact NocTel support with this information

The more detail, the faster we can help. NAC Tracer exports contain everything we need to understand what's happening.

Back to NAC Tracer Overview