RADIUS related Error Messages
Table below describes the error codes when issues occur with your RADIUS connection.
|
Error Code |
Error Message |
Description |
Corrective Action |
|
SBR24600 |
<SBR Error> |
RADIUS non informal message such as a RADIUS Reject message. |
Check the RADIUS reject message from the protocol specification for resolution. |
|
AUT23314 |
Radius Accounting: Failed to send radius accounting <session-type> session <Status> request for <username> |
Unable to send RADIUS (start, stop) accounting messages to RADIUS server. |
Check the network connectivity between PPS and external RADIUS server. |
|
AUT23458 |
Login failed |
The user login failed due to following reasons: •Wrong Certificate •Admin Only •Admin Recovery •Feature Unlicensed •Max Sessions •Short Password •Account Disabled •Account Locked Out •Account Expired •No Roles •Too Many Sessions •Revoked Certificate •IP Denied •UA Denied •IP Blocked •No Certificate •Radius •Realm Remediate •Role Remediate •OCSP Failure •No Assertion •Connect Error •SignIn Notification Decline •Chassis SSO Failed •Login Cancel •Too Many EES •Too Many PRM •Token Or OTP •Invalid Assertion •Empty Assertion •SPNEGO_SSO •Max Session Per User •Empty User Name •Password Change required but Password Management disabled •FIPS Client Required •Needs SAML Authentication •No Realm •Maximum Onboard Devices •Login Failed on Reject |
The corrective actions based on error message: •For Wrong certificate- Obtain a client certificate with the key usage of Digital Signature. •For Admin only- Only Admin Login is allowed. •For Account Locked Out- The account is locked out due to too many incorrect login attempts. •For FIPS client required- Use Pulse Client if you are using older clients like OAC. •For invalid/untrusted certificate message- Try reimporting the CA certificate. See KB. •For Maximum onboard devices- Check the license limit of your hardware. See KB. •For Token or OTP- This could be due to time synchronization issue between the client and the authenticator. Pulse Secure recommends to use a NTP server to avoid time drift issues. •For Certificate revoked- Disable the certificate revocation check on your browser security settings and try again. •Too many EES- The number of concurrent Enhanced Endpoint Defense (Malware Protection) users signed into the system has exceeded the system limit. •Too Many PRM- The number of concurrent Shavlik Remediation users signed into the system has exceeded the system limit. •For Realm remediate- The realm is defined as a remediation realm. |
|
|
|
|
•For Empty user name- The user name field is empty. •For RADIUS related messages- see KB. |
|
EAM30455 |
License key restriction: number of concurrent Enhanced Endpoint Security (Malware Protection) users (Number of concurrent users) exceeded the system limit (Max user limit). <username>/<realm- name> is not allowed to login. |
The maximum number of concurrent users are connected. No new users are allowed to connect. |
You can purchase new user licenses. |
|
SBR24461 |
RADIUS: <Error message> |
The error message describes protocol failure in any of the following cases: •PEAP configuration •TLS configuration •TTLS configuration |
The authentication protocol set must be configured on the PPS based on the client configuration. |
|
BR24574 |
RADIUS: <Error message> |
The server certificate is not found for interface. |
Install the server certificate. |
|
EAM30585 |
Detected both OAC and Pulse connections from <Endpoint IP Address> |
The user is connecting both OAC and Pulse client simultaneously. |
You must connect one client at a time. |
|
SBR24575 |
RADIUS: Received RADIUS message with Message-Authentication-Code from client name> (client IP>) but Key Wrap is not enabled for this client. |
This error message describes that the Cisco Key wrap is not enabled but RADIUS messages are received with Message Authenticator Code (RFC 6218). |
Enable the key wrap option in the RADIUS Client page. |
|
SBR24575 |
RADIUS: Invalid Message-Authentication-Code from RADIUS client < client name> (<client IP>), discarding. Incorrect Message Authenticator Code Key(MACK) |
This error message is displayed when Mac-authentication-code mismatch occurs. This mismatch can occur if MACK keys does not match. |
Check if MACK is correctly configured for the client in the RADIUS Client page. |
|
SBR24575 |
RADIUS: Received RADIUS message with Message-Authentication-Code from client < client name> (client IP>) but Key Wrap is not enabled for this client. |
When Cisco Key wrap is not enabled but RADIUS messages are received with Message Authenticator Code (RFC 6218). |
Check if key wrap is disabled for the Client in 'Radius Client' page |
|
SBR24575 |
RADIUS: Invalid Message-Authentication-Code from RADIUS client < client name> (<client IP>), discarding. Incorrect Message Authenticator Code Key (MACK)? |
When Mac-authentication-code mismatch occurs. This mismatch can occur if MACK keys does not match. |
Check if MACK is correctly configured for the Client in 'Radius Client' page. |