Troubleshooting TCP/IP address range authentication

Troubleshooting TCP/IP address range authentication

This article outlines some information gathering that will help support identify solutions when a session fails TCP/IP range authentication.

Are the TCP/IP Ranges on File Correct?

Coherent Digital uses the IP ranges assigned to your institution in the PSI IpRegistry.  If you maintain TCP/IP ranges in that database, then Coherent Digital will automatically receive any update within 24 hours.  If you do not use the IpRegistry, then please provide Coherent Support with the most recent validated ranges for your institution.

Within the IpRegistry, some TCP/IP ranges listed in your account may need validation before they are released to vendors.  Any unverified IP address in your account will show up in a yellow background if it is awaiting verification.  Your PSI account administrator simply needs to confirm the listed ranges using the available checkbox.

Information About the Failed Attempt

When access fails, it is helpful to provide a browser screenshot showing the URL in use.  In successful authentication attempts, the Coherent Digital site will show the logo of the institution that it is recognizing.  If no branding logo is configured, then this will not appear, so first it helps to make sure your account has been configured with a branding logo.  Please also note the date & time of the failed access.  This allows support to inspect access logs during the time range to see how the system responded to the authentication request.

If you are accessing the Coherent Digital site through a campus proxy, please notify us of the IP address in use by the proxy.  If you are accessing from directly on campus (from within the configured ranges assigned to your account) then please make note of the IP address in use by your browser.  This can be determined by visiting https://whatismyipaddress.com/ and make note of both the IPv6 and IPv4 address that it reports.

If you are accessing the Coherent Digital site through Shibboleth or Open Athens, then the browser IP address is not used for authentication in those circumstances.  Please inform us if you are using Shibboleth or Open Athens as an identify provider.

Possible Causes of Failed TCP/IP Authentication Attempts

IPv6 versus IPv4

Coherent Digital supports both version 6 and version 4 of the TCP/IP address standard.  Most campuses report their TCP/IP version 4 ranges.  However if version 6 is in use, please also make sure those ranges are included in your PSI IpRegistry entry.

EzProxy Configuration

It is helpful to determine if the problem is limited to users of the EzProxy (only) or if it also affects direct access made from a campus IP address, so please try both ways if possible.  If the failure to authenticate is limited to EzProxy users, then the problem may be in the ExProxy configuration.  Coherent Digital maintains up-to-date EzProxy stanzas on the OCLC website.

In your situation, did remote access via the EzProxy initially work, and now it doesn't?  Are any other destinations exhibiting a failure to authenticate? Many EzProxy configurations include stanzas for hundreds of resources used through the proxy and many edits are made to the configuration over time.  Some of the EzProxy configuration directives are 'global' in scope and can affect the operation of other stanzas in the configuration (typically the ones that appear after the global-scope directive).  So as a diagnostic, it is sometimes helpful to put the stanza for the failed destination near the top of the list of stanzas and see if that changes how access behaves through the proxy.

VPN Configuration

Does your institution use a Virtual Private Network to support remote users?  VPNs are very flexible, and there are numerous ways they can be architected.  The administrator of the VPN can choose which web destinations are reachable and which web destinations are proxied.  Make sure that the VPN is configured to proxy the Coherent Digital product domains so that VPN users will arrive from a VPN IP address instead of their browser IP address.  The VPN terminology for this varies from depending on the VPN vendor, but it is generally referred to a Network Address Translation (NAT or SNAT)

Cached Sessions

If you have visited a Coherent Digital site before activating your paid membership, it's possible that the browser session has been cached from this previous (unauthenticated) visit.  Please try an 'Incognito' or 'Private' mode browser window when testing access to new memberships.

Inactive Membership

Is it possible the membership to the product is not active yet (or any longer)?  Was it requested to be set up for trial or paid membership from a specific start date and or end date?  Paid subscriptions are set up with unspecified end dates which are cancelled only after consultation with the customer.  This is to ensure that access is not interrupted unless the customer confirms they do not intend to continue the membership.  One-time-purchases never have an end date.  All trials to products will have a specified end date.  So if you are on a trial and its past its configured end date, then please contact your sales representative about an extension.  Customer Support will need to inspect your membership dates, to make sure they are still active.

Network Changes at the Institution

Have there been any changes to the campus network configuration?  If so, please make sure that new ranges are communicated to Customer Support.

Mindscape Commons - Extra Step

For the Mindscape Commons product (and only this product) Coherent Digital needs to configure the URL of the proxy.  E.g. https://mindscapecommons-net.yourproxy.yourinstitution.edu  This is the URL that appears after you log into EzProxy and are at the Mindscape Commons home page.  After installing the stanza, please share this URL with Customer Support so we can configure this URL.

    • Related Articles

    • Authentication: How To Enable Remote User Access

      At Coherent Digital, we support four frictionless options for remote user access: Username & Password Authentication IP Authentication EzProxy  Shibboleth Authentication Username & Password Authentication Individual users or users associated with an ...
    • Why we use TheIPregistry.org to maintain IP addresses

      Maintaining accurate IP addresses is a problem for the entire scholarly community. According to the IPRegistry.org, 58% of the IP ranges held by publishers to authenticate libraries who license their content are inaccurate. Apart from unlicensed ...