2.76. USERAUTH

Home Prev	cOS Core 15.00.01 Log Reference Guide	Next

2.76.1. accounting_start (ID: 03700001)

Default Severity: INFORMATIONAL
Log Message: Successfully received RADIUS Accounting START response from RADIUS Accounting server
Explanation: The unit received a valid response to an Accounting-Start event from the Accounting Server.
Firewall Action: None
Recommended Action: None
Revision: 2
Context Parameters: User Authentication

2.76.2. invalid_accounting_start_server_response (ID: 03700002)

Default Severity: WARNING
Log Message: Received a RADIUS Accounting START response with an Identifier mismatch. Ignoring this packet
Explanation: The unit received a response with an invalid Identifier mismatch. This can be the result of a busy network, causing accounting event re-sends. This will be ignored.
Firewall Action: ignore_packet
Recommended Action: None
Revision: 2
Context Parameters: User Authentication

2.76.3. no_accounting_start_server_response (ID: 03700003)

Default Severity: ALERT
Log Message: Did not receive a RADIUS Accounting START response. Accounting has been disabled
Explanation: The unit did not receive a response to an Accounting-Start event from the Accounting Server. Accounting features will be disabled.
Firewall Action: accounting_disabled
Recommended Action: Verify that the RADIUS Accounting server daemon is running on the Accounting Server.
Revision: 2
Context Parameters: User Authentication

2.76.4. invalid_accounting_start_server_response (ID: 03700004)

Default Severity: ALERT
Log Message: Received an invalid RADIUS Accounting START response from RADIUS Accounting server. Accounting has been disabled
Explanation: The unit received an invalid response to an Accounting-Start event from the Accounting Server Accounting features will be disabled.
Firewall Action: accounting_disabled
Recommended Action: Verify that the RADIUS Accounting server is properly configured.
Revision: 2
Context Parameters: User Authentication

2.76.5. no_accounting_start_server_response (ID: 03700005)

Default Severity: WARNING
Log Message: Logging out the authenticated user, as no RADIUS Accounting START response was received from RADIUS Accounting server
Explanation: The authenticated user is logged out as no response to the Accounting-Start event was received from the Accounting Server.
Firewall Action: logout_user
Recommended Action: Verify that the RADIUS Accounting server daemon is running on the Accounting Server.
Revision: 2
Context Parameters: User Authentication

2.76.6. invalid_accounting_start_server_response (ID: 03700006)

Default Severity: WARNING
Log Message: Logging out the authenticated user, as an invalid RADIUS Accounting START response was received from RADIUS Accounting server
Explanation: The authenticated user is logged out as an invalid response to the Accounting-Start event was received from the Accounting Server.
Firewall Action: logout_user
Recommended Action: Verify that the RADIUS Accounting server is properly configured.
Revision: 2
Context Parameters: User Authentication

2.76.7. failed_to_send_accounting_stop (ID: 03700007)

Default Severity: ALERT
Log Message: Failed to send Accounting STOP to Authentication Server. Accounting information will not be sent to Authentication Server.
Explanation: The unit failed to send an Accounting-Stop event to the Accounting Server. Accounting information will not be sent to the Accounting Server.
Firewall Action: None
Recommended Action: None
Revision: 2
Context Parameters: User Authentication

2.76.8. accounting_stop (ID: 03700008)

Default Severity: NOTICE
Log Message: Successfully received RADIUS Accounting STOP response from RADIUS Accounting server. Bytes sent=<bytessent>, Bytes recv=<bytesrecv>, Packets sent=<packetssent>, Packets recv=<packetsrecv>, Session time=<sestime>
Explanation: The unit received a valid response to an Accounting-Stop event from the Accounting Server.
Firewall Action: None
Recommended Action: None
Revision: 2
Parameters: bytessent
bytesrecv
packetssent
packetsrecv
gigawrapsent
gigawraprecv
sestime
Context Parameters: User Authentication

2.76.9. invalid_accounting_stop_server_response (ID: 03700009)

Default Severity: WARNING
Log Message: Received a RADIUS Accounting STOP response with an Identifier mismatch. Ignoring this packet
Explanation: The unit received a response with an invalid Identifier mismatch. This can be the result of a busy network, causing accounting event re-sends. This will be ignored.
Firewall Action: ignore_packet
Recommended Action: None
Revision: 2
Context Parameters: User Authentication

2.76.10. no_accounting_stop_server_response (ID: 03700010)

Default Severity: ALERT
Log Message: Did not receive a RADIUS Accounting STOP response. User statistics might not have been updated on the Accounting Server
Explanation: The unit did not receive a response to an Accounting-Stop event from the Accounting Server. Accounting information might not have been propery received by the Accounting Server.
Firewall Action: None
Recommended Action: Verify that the RADIUS Accounting server daemon is running on the Accounting Server.
Revision: 2
Context Parameters: User Authentication

2.76.11. invalid_accounting_stop_server_response (ID: 03700011)

Default Severity: ALERT
Log Message: Received an invalid RADIUS Accounting STOP response from RADIUS Accounting server. User statistics might not have been updated on the Accounting Server
Explanation: The unit received an invalid response to an Accounting-Stop event from the Accounting Server. Accounting information might not have been propery received by the Accounting Server.
Firewall Action: None
Recommended Action: Verify that the RADIUS Accounting server is properly configured.
Revision: 2
Context Parameters: User Authentication

2.76.12. failure_init_radius_accounting (ID: 03700012)

Default Severity: ALERT
Log Message: Failed to send Accounting Start to RADIUS Accounting Server. Accounting will be disabled
Explanation: The unit failed to send an Accounting-Start event to the Accounting Server. Accounting features will be disabled.
Firewall Action: accounting_disabled
Recommended Action: None
Revision: 2
Context Parameters: User Authentication

2.76.13. invalid_accounting_start_request (ID: 03700013)

Default Severity: WARNING
Log Message: Logging out the authenticated user, as a RADIUS Accounting START request could not be sent to the RADIUS Accounting server
Explanation: The authenticated user is logged out as an Accounting-Start request did not get sent to the Accounting Server. This could be a result of missing a route from the unit to the Accounting Server.
Firewall Action: logout_user
Recommended Action: Verify that a route exists from the unit to the RADIUS Accounting server and that it is properly configured.
Revision: 2
Context Parameters: User Authentication

2.76.14. no_accounting_start_server_response (ID: 03700014)

Default Severity: ALERT
Log Message: Did not send a RADIUS Accounting START request. Accounting has been disabled
Explanation: The unit did not send an Accounting-Start event to the Accounting Server. Accounting features will be disabled. This could be a result of missing a route from the unit to the Accounting Server.
Firewall Action: accounting_disabled
Recommended Action: Verify that a route exists from the unit to the RADIUS Accounting server and that it is properly configured.
Revision: 2
Context Parameters: User Authentication

2.76.15. user_timeout (ID: 03700020)

Default Severity: NOTICE
Log Message: User timeout expired, user is automatically logged out
Explanation: The user is automatically logged out, as the configurated timeout expired.
Firewall Action: user_removed
Recommended Action: None
Revision: 2
Context Parameters: User Authentication

2.76.16. group_list_too_long (ID: 03700030)

Default Severity: WARNING
Log Message: User <username> belongs in too many groups, keeping the 32 first groups
Explanation: A username can only be a member of a maximum of 32 groups. This username is a member of too many groups and only the 32 first groups will be used.
Firewall Action: truncating_group_list
Recommended Action: Lower the number of groups that this user belongs to.
Revision: 1
Parameters: username

2.76.17. accounting_alive (ID: 03700050)

Default Severity: NOTICE
Log Message: Successfully received RADIUS Accounting Interim response from RADIUS Accounting server. Bytes sent=<bytessent>, Bytes recv=<bytesrecv>, Packets sent=<packetssent>, Packets recv=<packetsrecv>, Session time=<sestime>
Explanation: The unit successfully received a RADIUS Accounting Interim response to an Accounting-Interim request event from the Accounting Server. Accounting information has been updated on the Accounting Server.
Firewall Action: None
Recommended Action: None
Revision: 2
Parameters: bytessent
bytesrecv
packetssent
packetsrecv
gigawrapsent
gigawraprecv
sestime
Context Parameters: User Authentication

2.76.18. accounting_interim_failure (ID: 03700051)

Default Severity: ALERT
Log Message: Failed to send Accounting Interim to Authentication Server. Accounting information might not be properly updated on the Accounting Server.
Explanation: The unit failed to send an Accounting-Interim event to the Accounting Server. The statistics on the Accounting Server might not have been properly synchronized.
Firewall Action: None
Recommended Action: Verify that the RADIUS Accounting server daemon is running on the Accounting Server.
Revision: 2
Context Parameters: User Authentication

2.76.19. no_accounting_interim_server_response (ID: 03700052)

Default Severity: ALERT
Log Message: Did not receive a RADIUS Accounting Interim response. User statistics might not have been updated on the Accounting Server
Explanation: The unit did not receive a response to an Accounting-Interim event from the Accounting Server. Accounting information might not have been propery received by the Accounting Server.
Firewall Action: None
Recommended Action: Verify that the RADIUS Accounting server daemon is running on the Accounting Server.
Revision: 2
Context Parameters: User Authentication

2.76.20. invalid_accounting_interim_server_response (ID: 03700053)

Default Severity: ALERT
Log Message: Received an invalid RADIUS Accounting Interim response from RADIUS Accounting server. User statistics might not have been updated on the Accounting Server
Explanation: The unit received an invalid response to an Accounting-Interm event from the Accounting Server. Accounting information might not have been propery received by the Accounting Server.
Firewall Action: None
Recommended Action: Verify that the RADIUS Accounting server is properly configured.
Revision: 2
Context Parameters: User Authentication

2.76.21. invalid_accounting_interim_server_response (ID: 03700054)

Default Severity: WARNING
Log Message: Received a RADIUS Accounting Interim response with an Identifier mismatch. Ignoring this packet
Explanation: The unit received a response with an invalid Identifier mismatch. This can be the result of a busy network, causing accounting event re-sends. This will be ignored.
Firewall Action: ignore_packet
Recommended Action: None
Revision: 2
Context Parameters: User Authentication

2.76.22. relogin_from_new_srcip (ID: 03700100)

Default Severity: WARNING
Log Message: User with the same username is logging in from another IP address, logging out current instance
Explanation: A user with the same username as an already authenticated user is logging in. The current instance is logged out.
Firewall Action: logout_current_user
Recommended Action: None
Revision: 2
Context Parameters: User Authentication

2.76.23. already_logged_in (ID: 03700101)

Default Severity: WARNING
Log Message: This user is already logged in
Explanation: A user with the same username as an already authenticated user tried to logged in and was rejected .
Firewall Action: disallowed_login
Recommended Action: None
Revision: 2
Context Parameters: User Authentication

2.76.24. user_login (ID: 03700102)

Default Severity: NOTICE
Log Message: User logged in. Idle timeout: <idle_timeout>, Session timeout: <session_timeout>
Explanation: A user logged in and has been granted access, according to the group membership or user name information.
Firewall Action: None
Recommended Action: None
Revision: 2
Parameters: idle_timeout
session_timeout
[groups]
Context Parameters: User Authentication

2.76.25. bad_user_credentials (ID: 03700104)

Default Severity: NOTICE
Log Message: Unknown user or invalid password
Explanation: A user failed to log in. The entered username or password was invalid.
Firewall Action: None
Recommended Action: None
Revision: 2
Context Parameters: User Authentication

2.76.26. radius_auth_timeout (ID: 03700105)

Default Severity: ALERT
Log Message: Timeout during RADIUS user authentication, contact with RADIUS server not established
Explanation: The unit did not receive a response from the RADIUS Authentication server and the authentication process failed.
Firewall Action: None
Recommended Action: Verify that the RADIUS Authentication server daemon is running on the Authenication Server.
Revision: 2
Context Parameters: User Authentication

2.76.27. manual_logout (ID: 03700106)

Default Severity: NOTICE
Log Message: User manually logged out
Explanation: A user manually logged out and is no longer authenticated.
Firewall Action: None
Recommended Action: None
Revision: 2
Context Parameters: User Authentication

2.76.28. userauthrules_disallowed (ID: 03700107)

Default Severity: WARNING
Log Message: Denied access according to UserAuthRules rule-set
Explanation: The user is not allowed to authenticate according to the UserAuthRules rule-set.
Firewall Action: None
Recommended Action: None
Revision: 2
Context Parameters: User Authentication

2.76.29. ldap_auth_error (ID: 03700109)

Default Severity: ALERT
Log Message: Error during LDAP user authentication, contact with LDAP server not established
Explanation: The unit did not receive a response from the LDAP Authentication server and the authentication process failed.
Firewall Action: None
Recommended Action: Verify that the LDAP Authentication server daemon is running on the Authenication Server.
Revision: 2
Context Parameters: User Authentication

2.76.30. user_logout (ID: 03700110)

Default Severity: NOTICE
Log Message: User logged out
Explanation: A user logged out and is no longer authenticated.
Firewall Action: None
Recommended Action: None
Revision: 2
Context Parameters: User Authentication

2.76.31. radius_parse_error (ID: 03700111)

Default Severity: WARNING
Log Message: Failed to parse RADIUS user authentication response from <server_ip> for <user>
Explanation: Unable to parse RADIUS user authentication response from server.
Firewall Action: ignore_packet
Recommended Action: None
Revision: 2
Parameters: server_ip
user
reason

2.76.32. bad_oidc_credentials (ID: 03700112)

Default Severity: NOTICE
Log Message: Invalid OIDC ID token
Explanation: A user failed to log in. The sent OIDC ID token was invalid.
Firewall Action: None
Recommended Action: None
Revision: 2
Context Parameters: User Authentication

2.76.33. user_group_disallow (ID: 03700114)

Default Severity: NOTICE
Log Message: User not member of allowed user groups for this interface
Explanation: A user failed to log in. The user was not member of the allowed user groups for this interface.
Firewall Action: None
Recommended Action: None
Revision: 2
Parameters: iface
Context Parameters: User Authentication

2.76.34. ldap_session_new_out_of_memory (ID: 03700401)

Default Severity: ALERT
Log Message: Out of memory while trying to allocate new LDAP session
Explanation: The unit failed to allocate a LDAP session, as it is out of memory.
Firewall Action: None
Recommended Action: None
Revision: 1
Parameters: reason

2.76.35. cant_create_new_request (ID: 03700402)

Default Severity: ERROR
Log Message: Can't create new user request. Authentication aborted
Explanation: Can't create new user request.
Firewall Action: authentication_failed
Recommended Action: Check LDAP context to work.
Revision: 1

2.76.36. ldap_user_authentication_successful (ID: 03700403)

Default Severity: NOTICE
Log Message: LDAP Authentication successful for <user>
Explanation: Authentication attempt successful.
Firewall Action: None
Recommended Action: None
Revision: 1
Parameters: user

2.76.37. ldap_user_authentication_failed (ID: 03700404)

Default Severity: NOTICE
Log Message: LDAP Authentication failed for <user>
Explanation: Authentication attempt failed.
Firewall Action: None
Recommended Action: None
Revision: 1
Parameters: user

2.76.38. ldap_context_new_out_of_memory (ID: 03700405)

Default Severity: ALERT
Log Message: Out of memory while trying to allocate new LDAP Context
Explanation: The unit failed to allocate a LDAP Context, as it is out of memory.
Firewall Action: None
Recommended Action: None
Revision: 1
Parameters: reason

2.76.39. user_req_new_out_of_memory (ID: 03700406)

Default Severity: ALERT
Log Message: Out of memory while trying to allocate new User Request
Explanation: The unit failed to allocate a User Request, as it is out of memory.
Firewall Action: None
Recommended Action: None
Revision: 1
Parameters: reason

2.76.40. failed_admin_bind (ID: 03700407)

Default Severity: ALERT
Log Message: Cannot bind to LDAP database <database>
Explanation: Cannot bind the LDAP database using the configured username and password.
Firewall Action: database connection disabled
Recommended Action: Check configuration.
Revision: 1
Parameters: database

2.76.41. invalid_username_or_password (ID: 03700408)

Default Severity: ERROR
Log Message: Invalid provided username or password
Explanation: Username or password does not contain any information.
Firewall Action: authentication_failed
Recommended Action: Verify connecting client username and password.
Revision: 1

2.76.42. failed_retrieve_password (ID: 03700409)

Default Severity: ALERT
Log Message: Cannot retrieve user password from LDAP database <database>
Explanation: Cannot retrive the user password from LDAP database making user authentication impossible.
Firewall Action: user authentication failed
Recommended Action: Check configuration for password attribute.
Revision: 1
Parameters: database

2.76.43. ldap_timed_out_server_request (ID: 03700423)

Default Severity: NOTICE
Log Message: LDAP timed out server request
Explanation: LDAP timed out server request.
Firewall Action: None
Recommended Action: None
Revision: 1
Parameters: SessionID
user
ldap_server_ip

2.76.44. ldap_no_working_server_found (ID: 03700424)

Default Severity: ERROR
Log Message: LDAP no working server found
Explanation: LDAP no working server found.
Firewall Action: None
Recommended Action: None
Revision: 2
Parameters: SessionID
user

2.76.45. ldap_moving_request_active_server (ID: 03700425)

Default Severity: NOTICE
Log Message: Active LDAP server found.
Explanation: Moving LDAP request to an active server.
Firewall Action: None
Recommended Action: None
Revision: 1
Parameters: SessionID
user
ldap_server_ip

2.76.46. no_shared_ciphers (ID: 03700500)

Default Severity: ERROR
Log Message: SSL Handshake: No shared ciphers exists. Closing down SSL connection
Explanation: No shared ciphers were found between the client and the unit and the SSL connection can not be established.
Firewall Action: ssl_close
Recommended Action: Make sure that the client and unit share atleast one cipher.
Revision: 1
Parameters: client_ip

2.76.47. disallow_clientkeyexchange (ID: 03700501)

Default Severity: ERROR
Log Message: SSL Handshake: Disallow ClientKeyExchange. Closing down SSL connection
Explanation: The SSL connection will be closed because there are not enough resources to process any ClientKeyExchange messages at the moment. This could be a result of SSL handshake message flooding. This action is triggered by a system that monitors the amount of resources that is spent on key exchanges. This system is controlled by the advanced setting SSL_ProcessingPriority.
Firewall Action: ssl_close
Recommended Action: Investigate the source of this and try to find out if it is a part of a possible attack, or normal traffic.
Revision: 2
Parameters: client_ip

2.76.48. bad_packet_order (ID: 03700502)

Default Severity: ERROR
Log Message: Bad SSL Handshake packet order. Closing down SSL connection
Explanation: Two or more SSL Handshake message were received in the wrong order and the SSL connection is closed.
Firewall Action: ssl_close
Recommended Action: None
Revision: 1
Parameters: client_ip

2.76.49. bad_clienthello_msg (ID: 03700503)

Default Severity: ERROR
Log Message: SSL Handshake: Bad ClientHello message. Closing down SSL connection
Explanation: The ClientHello message (which is the first part of a SSL handshake) is invalid and the SSL connection is closed.
Firewall Action: ssl_close
Recommended Action: None
Revision: 1
Parameters: client_ip

2.76.50. bad_changecipher_msg (ID: 03700504)

Default Severity: ERROR
Log Message: SSL Handshake: Bad ChangeCipher message. Closing down SSL connection
Explanation: The ChangeCipher message (which is a part of a SSL handshake) is invalid and the SSL connection is closed.
Firewall Action: ssl_close
Recommended Action: None
Revision: 1
Parameters: client_ip

2.76.51. bad_clientkeyexchange_msg (ID: 03700505)

Default Severity: ERROR
Log Message: SSL Handshake: Bad ClientKeyExchange message. Closing down SSL connection
Explanation: The ClientKeyExchange message (which is a part of a SSL handshake) is invalid and the SSL connection is closed.
Firewall Action: ssl_close
Recommended Action: None
Revision: 1
Parameters: client_ip

2.76.52. bad_clientfinished_msg (ID: 03700506)

Default Severity: ERROR
Log Message: SSL Handshake: Bad ClientFinished message. Closing down SSL connection
Explanation: The ClientFinished message (which is a part of a SSL handshake) is invalid and the SSL connection is closed.
Firewall Action: ssl_close
Recommended Action: None
Revision: 1
Parameters: client_ip

2.76.53. bad_alert_msg (ID: 03700507)

Default Severity: ERROR
Log Message: Bad Alert message. Closing down SSL connection
Explanation: The Alert message (which can be a part of a SSL handshake) is invalid and the SSL connection is closed.
Firewall Action: ssl_close
Recommended Action: None
Revision: 1
Parameters: client_ip

2.76.54. unknown_ssl_error (ID: 03700508)

Default Severity: ERROR
Log Message: Unknown SSL error. Closing down SSL connection
Explanation: An unknown error occured in the SSL connection and the SSL connection is closed.
Firewall Action: ssl_close
Recommended Action: None
Revision: 1
Parameters: client_ip

2.76.55. received_sslalert (ID: 03700510)

Default Severity: ERROR
Log Message: Received SSL Alert. Closing down SSL connection
Explanation: A SSL Alert message was received during an established SSL connection and the SSL connection will be closed.
Firewall Action: close
Recommended Action: None
Revision: 1
Parameters: client_ip
level
description

2.76.56. sent_sslalert (ID: 03700511)

Default Severity: ERROR
Log Message: Sent SSL Alert. Closing down SSL connection
Explanation: The unit has sent a SSL Alert message to the client, due to some abnormal event. The connection will be closed down.
Firewall Action: close
Recommended Action: Consult the "description" parameter, which contains the reason for this.
Revision: 1
Parameters: client_ip
level
description

2.76.57. ssl_context_move_failure (ID: 03700512)

Default Severity: ERROR
Log Message: Unable to attach SSL context from client to <subsystem>.
Explanation: Failure during move of SSL context to the subsystem. The connection will be closed down.
Firewall Action: ssl_close
Recommended Action: None
Revision: 1
Parameters: subsystem
client_ip

2.76.58. user_login (ID: 03707000)

Default Severity: NOTICE
Log Message: User logged in. Idle timeout: <idle_timeout>, Session timeout: <session_timeout>
Explanation: A user logged in and has been granted access. Auth Rule grants immediate access.
Firewall Action: None
Recommended Action: None
Revision: 2
Parameters: idle_timeout
session_timeout
Context Parameters: User Authentication

2.76.59. userauthrules_disallowed (ID: 03707001)

Default Severity: WARNING
Log Message: Denied access according to UserAuthRules rule-set
Explanation: The user is not allowed to authenticate according to the UserAuthRules rule-set.
Firewall Action: None
Recommended Action: None
Revision: 2
Context Parameters: User Authentication

2.76.60. user_login (ID: 03707002)

Default Severity: NOTICE
Log Message: User logged in. Idle timeout: <idle_timeout>, Session timeout: <session_timeout>
Explanation: A user logged in and has been granted access. The MAC address has been found.
Firewall Action: None
Recommended Action: None
Revision: 2
Parameters: idle_timeout
session_timeout
Context Parameters: User Authentication

2.76.61. bad_user_credentials (ID: 03707003)

Default Severity: NOTICE
Log Message: Unknown user
Explanation: A user failed to log in. The MAC address does not exist.
Firewall Action: None
Recommended Action: None
Revision: 2
Context Parameters: User Authentication

2.76.62. ldap_auth_error (ID: 03707004)

Default Severity: ALERT
Log Message: Error during LDAP user authentication, contact with LDAP server not established
Explanation: The unit did not receive a response from the LDAP Authentication server and the authentication process failed.
Firewall Action: None
Recommended Action: Verify that the LDAP Authentication server daemon is running on the Authenication Server.
Revision: 2
Context Parameters: User Authentication

2.76.63. bad_user_credentials (ID: 03707005)

Default Severity: NOTICE
Log Message: Unknown user
Explanation: A user failed to log in.
Firewall Action: None
Recommended Action: None
Revision: 2
Context Parameters: User Authentication