RADIUS related Error Messages

Table below describes the error codes when issues occur with your RADIUS connection.

Error Code	Error Message	Description	Corrective Action
SBR24600	<SBR Error>	RADIUS non informal message such as a RADIUS Reject message.	Check the RADIUS reject message from the protocol specification for resolution.
AUT23314	Radius Accounting: Failed to send radius accounting <session-type> session <Status> request for <username>	Unable to send RADIUS (start, stop) accounting messages to RADIUS server.	Check the network connectivity between Ivanti Policy Secure and external RADIUS server.
AUT23458	Login failed	The user login failed due to following reasons: Wrong Certificate Admin Only Admin Recovery Feature Unlicensed Max Sessions Short Password Account Disabled Account Locked Out Account Expired No Roles Too Many Sessions Revoked Certificate IP Denied UA Denied IP Blocked No Certificate Radius Realm Remediate Role Remediate OCSP Failure No Assertion Connect Error SignIn Notification Decline Chassis SSO Failed Login Cancel Too Many EES Too Many PRM Token Or OTP Invalid Assertion Empty Assertion SPNEGO_SSO Max Session Per User Empty User Name Password Change required but Password Management disabled FIPS Client Required Needs SAML Authentication No Realm Maximum Onboard Devices Login Failed on Reject	The corrective actions based on error message: For Wrong certificate- Obtain a client certificate with the key usage of Digital Signature. For Admin only- Only Admin Login is allowed. For Account Locked Out- The account is locked out due to too many incorrect login attempts. For FIPS client required- Use Ivanti Client if you are using older clients like OAC. For invalid/untrusted certificate message- Try reimporting the CA certificate. See KB. For Maximum onboard devices- Check the license limit of your hardware. See KB. For Token or OTP- This could be due to time synchronization issue between the client and the authenticator. Ivanti Secure recommends to use a NTP server to avoid time drift issues. For Certificate revoked- Disable the certificate revocation check on your browser security settings and try again. Too many EES- The number of concurrent Enhanced Endpoint Defense (Malware Protection) users signed into the system has exceeded the system limit. Too Many PRM- The number of concurrent Shavlik Remediation users signed into the system has exceeded the system limit. For Realm remediate- The realm is defined as a remediation realm.
			For Empty user name- The user name field is empty. For RADIUS related messages- see KB.
EAM30455	License key restriction: number of concurrent Enhanced Endpoint Security (Malware Protection) users (Number of concurrent users) exceeded the system limit (Max user limit). <username>/<realm- name> is not allowed to login.	The maximum number of concurrent users are connected. No new users are allowed to connect.	You can purchase new user licenses.
SBR24461	RADIUS: <Error message>	The error message describes protocol failure in any of the following cases: PEAP configuration TLS configuration TTLS configuration	The authentication protocol set must be configured on the Ivanti Policy Secure based on the client configuration.
BR24574	RADIUS: <Error message>	The server certificate is not found for interface.	Install the server certificate.
EAM30585	Detected both OAC and Ivanti connections from <Endpoint IP Address>	The user is connecting both OAC and Ivanti client simultaneously.	You must connect one client at a time.
SBR24575	RADIUS: Received RADIUS message with Message-Authentication-Code from client name> (client IP>) but Key Wrap is not enabled for this client.	This error message describes that the Cisco Key wrap is not enabled but RADIUS messages are received with Message Authenticator Code (RFC 6218).	Enable the key wrap option in the RADIUS Client page.
SBR24575	RADIUS: Invalid Message-Authentication-Code from RADIUS client < client name> (<client IP>), discarding. Incorrect Message Authenticator Code Key(MACK)	This error message is displayed when Mac-authentication-code mismatch occurs. This mismatch can occur if MACK keys does not match.	Check if MACK is correctly configured for the client in the RADIUS Client page.
SBR24575	RADIUS: Received RADIUS message with Message-Authentication-Code from client < client name> (client IP>) but Key Wrap is not enabled for this client.	When Cisco Key wrap is not enabled but RADIUS messages are received with Message Authenticator Code (RFC 6218).	Check if key wrap is disabled for the Client in 'Radius Client' page
SBR24575	RADIUS: Invalid Message-Authentication-Code from RADIUS client < client name> (<client IP>), discarding. Incorrect Message Authenticator Code Key (MACK)?	When Mac-authentication-code mismatch occurs. This mismatch can occur if MACK keys does not match.	Check if MACK is correctly configured for the Client in 'Radius Client' page.