RADIUS related Error Messages

Error Code	Error Message	Description	Corrective Action
SBR24600	<SBR Error>	RADIUS non informal message such as a RADIUS Reject message.	Check the RADIUS reject message from the protocol specification for resolution.
AUT23314	Radius Accounting: Failed to send radius accounting <session-type> session <Status> request for <username>	Unable to send RADIUS (start, stop) accounting messages to RADIUS server.	Check the network connectivity between Ivanti Policy Secure and external RADIUS server.
AUT23458	Login failed	The user login failed due to following reasons: Wrong Certificate Admin Only Admin Recovery Feature Unlicensed Max Sessions Short Password Account Disabled Account Locked Out Account Expired No Roles Too Many Sessions Revoked Certificate IP Denied UA Denied IP Blocked No Certificate Radius Realm Remediate Role Remediate OCSP Failure No Assertion Connect Error SignIn Notification Decline Chassis SSO Failed Login Cancel Too Many EES Too Many PRM Token Or OTP Invalid Assertion Empty Assertion SPNEGO_SSO Max Session Per User Empty User Name Password Change required but Password Management disabled FIPS Client Required Needs SAML Authentication No Realm Maximum Onboard Devices Login Failed on Reject	The corrective actions based on error message: For Wrong certificate- Obtain a client certificate with the key usage of Digital Signature. For Admin only- Only Admin Login is allowed. For Account Locked Out- The account is locked out due to too many incorrect login attempts. For FIPS client required- Use Ivanti Client if you are using older clients like OAC. For invalid/untrusted certificate message- Try reimporting the CA certificate. See KB. For Maximum onboard devices- Check the license limit of your hardware. See KB. For Token or OTP- This could be due to time synchronization issue between the client and the authenticator. Ivanti Secure recommends to use a NTP server to avoid time drift issues. For Certificate revoked- Disable the certificate revocation check on your browser security settings and try again. Too many EES- The number of concurrent Enhanced Endpoint Defense (Malware Protection) users signed into the system has exceeded the system limit. Too Many PRM- The number of concurrent Shavlik Remediation users signed into the system has exceeded the system limit. For Realm remediate- The realm is defined as a remediation realm.
			For Empty user name- The user name field is empty. For RADIUS related messages- see KB.
EAM30455	License key restriction: number of concurrent Enhanced Endpoint Security (Malware Protection) users (Number of concurrent users) exceeded the system limit (Max user limit). <username>/<realm- name> is not allowed to login.	The maximum number of concurrent users are connected. No new users are allowed to connect.	You can purchase new user licenses.
SBR24461	RADIUS: <Error message>	The error message describes protocol failure in any of the following cases: PEAP configuration TLS configuration TTLS configuration	The authentication protocol set must be configured on the Ivanti Policy Secure based on the client configuration.
BR24574	RADIUS: <Error message>	The server certificate is not found for interface.	Install the server certificate.
EAM30585	Detected both OAC and Ivanti connections from <Endpoint IP Address>	The user is connecting both OAC and Ivanti client simultaneously.	You must connect one client at a time.
SBR24575	RADIUS: Received RADIUS message with Message-Authentication-Code from client name> (client IP>) but Key Wrap is not enabled for this client.	This error message describes that the Cisco Key wrap is not enabled but RADIUS messages are received with Message Authenticator Code (RFC 6218).	Enable the key wrap option in the RADIUS Client page.
SBR24575	RADIUS: Invalid Message-Authentication-Code from RADIUS client < client name> (<client IP>), discarding. Incorrect Message Authenticator Code Key(MACK)	This error message is displayed when Mac-authentication-code mismatch occurs. This mismatch can occur if MACK keys does not match.	Check if MACK is correctly configured for the client in the RADIUS Client page.
SBR24575	RADIUS: Received RADIUS message with Message-Authentication-Code from client < client name> (client IP>) but Key Wrap is not enabled for this client.	When Cisco Key wrap is not enabled but RADIUS messages are received with Message Authenticator Code (RFC 6218).	Check if key wrap is disabled for the Client in 'Radius Client' page
SBR24575	RADIUS: Invalid Message-Authentication-Code from RADIUS client < client name> (<client IP>), discarding. Incorrect Message Authenticator Code Key (MACK)?	When Mac-authentication-code mismatch occurs. This mismatch can occur if MACK keys does not match.	Check if MACK is correctly configured for the Client in 'Radius Client' page.

SBR24600

RADIUS non informal message such as a RADIUS Reject message.

Check the RADIUS reject message from the protocol specification for resolution.

AUT23314

Radius Accounting: Failed to send radius accounting <session-type> session <Status> request for <username>

Unable to send RADIUS (start, stop) accounting messages to RADIUS server.

Check the network connectivity between Ivanti Policy Secure and external RADIUS server.

AUT23458

Login failed

The user login failed due to following reasons:

Wrong Certificate
Admin Only
Admin Recovery
Feature Unlicensed
Max Sessions
Short Password
Account Disabled
Account Locked Out
Account Expired
No Roles
Too Many Sessions
Revoked Certificate
IP Denied
UA Denied
IP Blocked
No Certificate
Radius
Realm Remediate
Role Remediate
OCSP Failure
No Assertion
Connect Error
SignIn Notification Decline
Chassis SSO Failed
Login Cancel
Too Many EES
Too Many PRM
Token Or OTP
Invalid Assertion
Empty Assertion
SPNEGO_SSO
Max Session Per User
Empty User Name
Password Change required but Password Management disabled
FIPS Client Required
Needs SAML Authentication
No Realm
Maximum Onboard Devices
Login Failed on Reject

The corrective actions based on error message:

For Wrong certificate- Obtain a client certificate with the key usage of Digital Signature.
For Admin only- Only Admin Login is allowed.
For Account Locked Out- The account is locked out due to too many incorrect login attempts.
For FIPS client required- Use Ivanti Client if you are using older clients like OAC.
For invalid/untrusted certificate message- Try reimporting the CA certificate. See KB.
For Maximum onboard devices- Check the license limit of your hardware. See KB.
For Token or OTP- This could be due to time synchronization issue between the client and the authenticator. Ivanti Secure recommends to use a NTP server to avoid time drift issues.
For Certificate revoked- Disable the certificate revocation check on your browser security settings and try again.
Too many EES- The number of concurrent Enhanced Endpoint Defense (Malware Protection) users signed into the system has exceeded the system limit.
Too Many PRM- The number of concurrent Shavlik Remediation users signed into the system has exceeded the system limit.
For Realm remediate- The realm is defined as a remediation realm.

For Empty user name- The user name field is empty.
For RADIUS related messages- see KB.

EAM30455

License key restriction: number of concurrent Enhanced Endpoint Security (Malware Protection) users (Number of concurrent users) exceeded the system limit (Max user limit). <username>/<realm- name> is not allowed to login.

The maximum number of concurrent users are connected. No new users are allowed to connect.

You can purchase new user licenses.

SBR24461

RADIUS: <Error message>

The error message describes protocol failure in any of the following cases:

PEAP configuration
TLS configuration
TTLS configuration

The authentication protocol set must be configured on the Ivanti Policy Secure based on the client configuration.

BR24574

RADIUS: <Error message>

The server certificate is not found for interface.

Install the server certificate.

EAM30585

Detected both OAC and Ivanti connections from <Endpoint IP Address>

The user is connecting both OAC and Ivanti client simultaneously.

You must connect one client at a time.

SBR24575

RADIUS: Received RADIUS message with Message-Authentication-Code from client name> (client IP>) but Key Wrap is not enabled for this client.

This error message describes that the Cisco Key wrap is not enabled but RADIUS messages are received with Message Authenticator Code (RFC 6218).

Enable the key wrap option in the RADIUS Client page.

SBR24575

RADIUS: Invalid Message-Authentication-Code from RADIUS client < client name> (<client IP>), discarding. Incorrect Message Authenticator Code Key(MACK)

This error message is displayed when Mac-authentication-code mismatch occurs. This mismatch can occur if MACK keys does not match.

Check if MACK is correctly configured for the client in the RADIUS Client page.

SBR24575

RADIUS: Received RADIUS message with Message-Authentication-Code from client < client name> (client IP>) but Key Wrap is not enabled for this client.

When Cisco Key wrap is not enabled but RADIUS messages are received with Message Authenticator Code (RFC 6218).

Check if key wrap is disabled for the Client in 'Radius Client' page

SBR24575

RADIUS: Invalid Message-Authentication-Code from RADIUS client < client name> (<client IP>), discarding. Incorrect Message Authenticator Code Key (MACK)?

When Mac-authentication-code mismatch occurs. This mismatch can occur if MACK keys does not match.

Check if MACK is correctly configured for the Client in 'Radius Client' page.