RADIUS related Error Messages

Error Code	Error Message	Description	Corrective Action
SBR24600	<SBR Error>	RADIUS non informal message such as a RADIUS Reject message.	Check the RADIUS reject message from the protocol specification for resolution.
AUT23314	Radius Accounting: Failed to send radius accounting <session-type> session <Status> request for <username>	Unable to send RADIUS (start, stop) accounting messages to RADIUS server.	Check the network connectivity between PPS and external RADIUS server.
AUT23458	Login failed	The user login failed due to following reasons: •Wrong Certificate •Admin Only •Admin Recovery •Feature Unlicensed •Max Sessions •Short Password •Account Disabled •Account Locked Out •Account Expired •No Roles •Too Many Sessions •Revoked Certificate •IP Denied •UA Denied •IP Blocked •No Certificate •Radius •Realm Remediate •Role Remediate •OCSP Failure •No Assertion •Connect Error •SignIn Notification Decline •Chassis SSO Failed •Login Cancel •Too Many EES •Too Many PRM •Token Or OTP •Invalid Assertion •Empty Assertion •SPNEGO_SSO •Max Session Per User •Empty User Name •Password Change required but Password Management disabled •FIPS Client Required •Needs SAML Authentication •No Realm •Maximum Onboard Devices •Login Failed on Reject	The corrective actions based on error message: •For Wrong certificate- Obtain a client certificate with the key usage of Digital Signature. •For Admin only- Only Admin Login is allowed. •For Account Locked Out- The account is locked out due to too many incorrect login attempts. •For FIPS client required- Use Pulse Client if you are using older clients like OAC. •For invalid/untrusted certificate message- Try reimporting the CA certificate. See KB. •For Maximum onboard devices- Check the license limit of your hardware. See KB. •For Token or OTP- This could be due to time synchronization issue between the client and the authenticator. Pulse Secure recommends to use a NTP server to avoid time drift issues. •For Certificate revoked- Disable the certificate revocation check on your browser security settings and try again. •Too many EES- The number of concurrent Enhanced Endpoint Defense (Malware Protection) users signed into the system has exceeded the system limit. •Too Many PRM- The number of concurrent Shavlik Remediation users signed into the system has exceeded the system limit. •For Realm remediate- The realm is defined as a remediation realm.
			•For Empty user name- The user name field is empty. •For RADIUS related messages- see KB.
EAM30455	License key restriction: number of concurrent Enhanced Endpoint Security (Malware Protection) users (Number of concurrent users) exceeded the system limit (Max user limit). <username>/<realm- name> is not allowed to login.	The maximum number of concurrent users are connected. No new users are allowed to connect.	You can purchase new user licenses.
SBR24461	RADIUS: <Error message>	The error message describes protocol failure in any of the following cases: •PEAP configuration •TLS configuration •TTLS configuration	The authentication protocol set must be configured on the PPS based on the client configuration.
BR24574	RADIUS: <Error message>	The server certificate is not found for interface.	Install the server certificate.
EAM30585	Detected both OAC and Pulse connections from <Endpoint IP Address>	The user is connecting both OAC and Pulse client simultaneously.	You must connect one client at a time.
SBR24575	RADIUS: Received RADIUS message with Message-Authentication-Code from client name> (client IP>) but Key Wrap is not enabled for this client.	This error message describes that the Cisco Key wrap is not enabled but RADIUS messages are received with Message Authenticator Code (RFC 6218).	Enable the key wrap option in the RADIUS Client page.
SBR24575	RADIUS: Invalid Message-Authentication-Code from RADIUS client < client name> (<client IP>), discarding. Incorrect Message Authenticator Code Key(MACK)	This error message is displayed when Mac-authentication-code mismatch occurs. This mismatch can occur if MACK keys does not match.	Check if MACK is correctly configured for the client in the RADIUS Client page.
SBR24575	RADIUS: Received RADIUS message with Message-Authentication-Code from client < client name> (client IP>) but Key Wrap is not enabled for this client.	When Cisco Key wrap is not enabled but RADIUS messages are received with Message Authenticator Code (RFC 6218).	Check if key wrap is disabled for the Client in 'Radius Client' page
SBR24575	RADIUS: Invalid Message-Authentication-Code from RADIUS client < client name> (<client IP>), discarding. Incorrect Message Authenticator Code Key (MACK)?	When Mac-authentication-code mismatch occurs. This mismatch can occur if MACK keys does not match.	Check if MACK is correctly configured for the Client in 'Radius Client' page.

SBR24600

RADIUS non informal message such as a RADIUS Reject message.

Check the RADIUS reject message from the protocol specification for resolution.

AUT23314

Radius Accounting: Failed to send radius accounting <session-type> session <Status> request for <username>

Unable to send RADIUS (start, stop) accounting messages to RADIUS server.

Check the network connectivity between PPS and external RADIUS server.

AUT23458

Login failed

The user login failed due to following reasons:

•Wrong Certificate

•Admin Only

•Admin Recovery

•Feature Unlicensed

•Max Sessions

•Short Password

•Account Disabled

•Account Locked Out

•Account Expired

•No Roles

•Too Many Sessions

•Revoked Certificate

•IP Denied

•UA Denied

•IP Blocked

•No Certificate

•Radius

•Realm Remediate

•Role Remediate

•OCSP Failure

•No Assertion

•Connect Error

•SignIn Notification Decline

•Chassis SSO Failed

•Login Cancel

•Too Many EES

•Too Many PRM

•Token Or OTP

•Invalid Assertion

•Empty Assertion

•SPNEGO_SSO

•Max Session Per User

•Empty User Name

•Password Change required but Password Management disabled

•FIPS Client Required

•Needs SAML Authentication

•No Realm

•Maximum Onboard Devices

•Login Failed on Reject

The corrective actions based on error message:

•For Wrong certificate- Obtain a client certificate with the key usage of Digital Signature.

•For Admin only- Only Admin Login is allowed.

•For Account Locked Out- The account is locked out due to too many incorrect login attempts.

•For FIPS client required- Use Pulse Client if you are using older clients like OAC.

•For invalid/untrusted certificate message- Try reimporting the CA certificate. See KB.

•For Maximum onboard devices- Check the license limit of your hardware. See KB.

•For Token or OTP- This could be due to time synchronization issue between the client and the authenticator. Pulse Secure recommends to use a NTP server to avoid time drift issues.

•For Certificate revoked- Disable the certificate revocation check on your browser security settings and try again.

•Too many EES- The number of concurrent Enhanced Endpoint Defense (Malware Protection) users signed into the system has exceeded the system limit.

•Too Many PRM- The number of concurrent Shavlik Remediation users signed into the system has exceeded the system limit.

•For Realm remediate- The realm is defined as a remediation realm.

•For Empty user name- The user name field is empty.

•For RADIUS related messages- see KB.

EAM30455

License key restriction: number of concurrent Enhanced Endpoint Security (Malware Protection) users (Number of concurrent users) exceeded the system limit (Max user limit). <username>/<realm- name> is not allowed to login.

The maximum number of concurrent users are connected. No new users are allowed to connect.

You can purchase new user licenses.

SBR24461

RADIUS: <Error message>

The error message describes protocol failure in any of the following cases:

•PEAP configuration

•TLS configuration

•TTLS configuration

The authentication protocol set must be configured on the PPS based on the client configuration.

BR24574

RADIUS: <Error message>

The server certificate is not found for interface.

Install the server certificate.

EAM30585

Detected both OAC and Pulse connections from <Endpoint IP Address>

The user is connecting both OAC and Pulse client simultaneously.

You must connect one client at a time.

SBR24575

RADIUS: Received RADIUS message with Message-Authentication-Code from client name> (client IP>) but Key Wrap is not enabled for this client.

This error message describes that the Cisco Key wrap is not enabled but RADIUS messages are received with Message Authenticator Code (RFC 6218).

Enable the key wrap option in the RADIUS Client page.

SBR24575

RADIUS: Invalid Message-Authentication-Code from RADIUS client < client name> (<client IP>), discarding. Incorrect Message Authenticator Code Key(MACK)

This error message is displayed when Mac-authentication-code mismatch occurs. This mismatch can occur if MACK keys does not match.

Check if MACK is correctly configured for the client in the RADIUS Client page.

SBR24575

RADIUS: Received RADIUS message with Message-Authentication-Code from client < client name> (client IP>) but Key Wrap is not enabled for this client.

When Cisco Key wrap is not enabled but RADIUS messages are received with Message Authenticator Code (RFC 6218).

Check if key wrap is disabled for the Client in 'Radius Client' page

SBR24575

RADIUS: Invalid Message-Authentication-Code from RADIUS client < client name> (<client IP>), discarding. Incorrect Message Authenticator Code Key (MACK)?

When Mac-authentication-code mismatch occurs. This mismatch can occur if MACK keys does not match.

Check if MACK is correctly configured for the Client in 'Radius Client' page.