Request Demo
Features Use Cases About Documentation Contact Request Demo

Reading Trace Results

Understanding what NAC Tracer tells you

Trace Flow

A typical authentication trace shows these stages in order:

1
Request Received

RADIUS packet arrives from network device

2
Host Identified

Match request to configured host/group

3
Policy Loaded

Get policy assigned to the host

4
Identity Provider Query

Verify credentials against each provider

5
2FA Check

Verify second factor if required

6
Access Rules

Evaluate group-based access rules

7
Response

Send Accept/Reject with attributes

Key Information in Each Step

Request Received

Shows what the network device sent:

  • User-Name - The username being authenticated
  • NAS-IP-Address - IP of the network device
  • Calling-Station-Id - Client's MAC address
  • NAS-Port-Type - Wired, Wireless, etc.
  • Service-Type - Login, Framed, etc.

Host Identified

How Warden matched the request to a host:

  • Host name and IP
  • Whether it matched a specific host or a host group range
  • If no match: "Unknown host" - this is why the request fails

Policy Loaded

Which policy is being used:

  • Policy name
  • Authentication chain (identity providers)
  • 2FA methods configured (if any)

Identity Provider Query

Credential verification details:

  • Which provider was tried
  • Time taken to query
  • Result: found/not found, password valid/invalid
  • User's groups from directory
  • If using multiple providers, each try is shown

2FA Check

Second factor verification:

  • Whether 2FA was required
  • Code position (append/prepend)
  • Verification result
  • For push: waiting time and approval status

Access Rules

Group-based access control:

  • Rules that were evaluated
  • Which rule matched (if any)
  • Result: allowed or denied
  • User's group memberships considered

Response

The final decision and data:

  • Access-Accept or Access-Reject
  • All RADIUS attributes returned
  • Total processing time
  • For rejects: the specific reason

Interpreting Failures

Host Not Found

The source IP doesn't match any configured host or host group. Check that the device is registered in Warden with the correct IP.

User Not Found

The username doesn't exist in any of the policy's identity providers. Check the username spelling and that the correct providers are in the authentication chain.

Invalid Password

Username was found but password is wrong. If using 2FA, check that the code is in the right position (append vs prepend).

2FA Required

User needs to provide a 2FA code but didn't. Make sure the user knows to append/prepend their TOTP code to the password.

Invalid 2FA Code

2FA code was provided but is incorrect. Check device time sync (TOTP requires accurate clocks) and code position setting.

Group Access Denied

User authenticated successfully but isn't in an allowed group. Check the policy's access rules and the user's group memberships.

Account Disabled

User exists but account is disabled. Enable the account or check if it was intentionally disabled.

Time Restriction

Policy or group has time-based restrictions that prevent access at this time. Check the schedule settings.

Performance Analysis

Traces include timing for each step. Use this to identify bottlenecks:

< 50ms Excellent - typical for local operations
50-200ms Normal - expected for LDAP queries
200ms-1s Slow - check network latency to provider
> 1s Very slow - investigate connection issues

Common causes of slow authentication:

  • Network latency to identity provider
  • DNS resolution delays
  • TLS handshake overhead (first connection)
  • Overloaded identity provider
  • Complex group membership queries

What's Next?

Back to NAC Tracer Overview