Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

authReportReject.ini File

 

The authReportReject.ini initialization file specifies options for the authentication rejection report, which is an ASCII comma-delimited file that records authentication rejections.

If the MaxMinutesPerFile parameter is set to 0, the file name of the authentication rejection report is rejects_yyyymmdd.csv (where yyyymmdd identifies the date the report was generated.) If the MaxMinutesPerFile parameter is set to a value greater than 0, the file name of the report is rejects_yyyymmdd_hhmm.csv (where yyyymmdd identifies the date and hhmm identifies the time the report was generated).

[Attributes] Section

[Attributes] Section

The [Attributes] section of authReportReject.ini lists the attributes logged in the authentication rejection report.

You can configure what is logged to the authentication rejection report by entering attributes in the [Attributes] section in the sequence you want them to appear. This lets you design the content and column order of any spreadsheets that you plan to create based upon the reject report.

The syntax of the [Attributes] section is:

For example:

The [Attributes] section lists one AttributeName on each line. You must ensure that an equal sign (=) immediately follows each AttributeName, with no spaces in between. Improperly formatted entries are ignored.

Each AttributeName in the [Attributes] section must be defined in a standard RADIUS dictionary file (.dct file), a subattribute dictionary file (.jdict file), or vendor-specific dictionary file (.dct) installed on the Steel-Belted Radius Carrier server.

The following attributes in each authentication rejection report entry are always enabled, and cannot be reordered or deleted:

  • Date—Identifies the date of the authentication rejection.

  • Time—Identifies the time of the authentication rejection.

  • RADIUS-Client—Identifies the RADIUS client that received the authentication rejection.

  • User-Name—Identifies the name of the user that was rejected.

  • Reject-Method—Identifies the most relevant authentication method that rejected the user. If this information is unavailable, the parameter is set to Unknown.

  • Rejected-Device—Identifies the MAC address or the outer NAI of the device that was rejected. If this information is unavailable, the parameter is set to Unknown.

  • Reject-Reason—Identifies the reason for the authentication rejection. Table 50 describes the reject reason codes supported by SBRC.

    Table 50: Reject Reason Codes

    Reason Code

    Reject Reason

    AUTH_ERR_001

    EAP-NAK received; client requesting EAP protocol 0,21

    AUTH_ERR_003

    Filter (ASNGW_JS) script execution failed

    AUTH_ERR_004

    Unable to find user with matching password

    AUTH_ERR_005

    EAP-NAK received; client requesting EAP protocol 0,13

    AUTH_ERR_006

    Received request with unmatched state attribute

    AUTH_ERR_007

    EAP-TTLS: Required User-Name attribute not present in inner authentication request

    AUTH_ERR_008

    EAP-TTLS authentication failed - client issued alert for invalid certificate type

    AUTH_ERR_011

    Server issued alert as unknown root certificate authority

    AUTH_ERR_012

    No mobility keys found for NAI

    AUTH_ERR_013

    Client issued alert as client closed the session before handshake was completed

    AUTH_ERR_014

    Tunneled authentication rejected

    AUTH_ERR_016

    Required Message-Authenticator attribute missing

    AUTH_ERR_017

    Too many or too few authentication attributes in request

    AUTH_ERR_018

    Conflicting authentication methods in packet

    AUTH_ERR_019

    Missing User-Name attribute in request

    AUTH_ERR_020

    Multiple User-Name attributes in request

    AUTH_ERR_021

    User-Name attribute in request too long

    AUTH_ERR_022

    Correlation ID not assigned

    AUTH_ERR_023

    Request contained invalid payload

    AUTH_ERR_026

    User is blocklisted

    AUTH_ERR_029

    Invalid Session-Timeout value

    AUTH_ERR_032

    Unable to get session record

    AUTH_ERR_036

    Proxy authentication failed

    AUTH_ERR_037

    SQL Error 0 resulted in hard failure

    AUTH_ERR_038

    Failed to initialize cache for request

    AUTH_ERR_040

    System error

    AUTH_ERR_041

    General post-processing error

    AUTH_ERR_042

    Username or credential incorrect

    AUTH_ERR_043

    Invalid credentials

    AUTH_ERR_044

    • Invalid credential or user

    • Rejecting request username not matching the regular expression configured in ValidateAuth (radius.ini)

    Note:

    • In case of Invalid Password scenario in proxy directed realm case,Instead of printing "Tunneled authentication reject" for TTLS. "AUTH_ERR_043","user found, but password validation failed" for TTLS with SQL

    • In case of Invalid Password scenario in proxy directed realm case,Instead of printing "Tunneled authentication reject" for TTLS. "AUTH_ERR_044" and "ldap auth user not authenticated" for TTLS with LDAP.

    AUTH_ERR_045

    User locked out

    AUTH_ERR_046

    Access error

    AUTH_ERR_047

    Invalid request

    AUTH_ERR_048

    Unknown error

    AUTH_ERR_049

    EAP Challenge Timeout due to delayed client

    AUTH_ERR_050

    EAP Challenge Timeout due to unresponsive client

    AUTH_ERR_097

    Error retrieving IDs and MIP from challenge cache

  • Reject-Log—Identifies the reason for the authentication request in language supplied by the authentication method. If a reason is not supplied, the parameter is set to Unavailable.

These attributes do not appear in the [Attributes] section of the authReportReject.ini file.

Note

If you modify the [Attributes] section and then restart the SBR Carrier, a new log file reject_yyyymmdd_nnnnn.csv is created.

[Settings] Section

[Settings] Section

The [Settings] section of authReportReject.ini specifies the operational characteristics of the authentication rejection report. Sample syntax is:

Table 51: authReportReject.ini [Settings] Syntax

Parameter

Function

BufferSize

Specifies the size of the buffer used in the logging process, in bytes.

Default value is 131072.

DaysToKeep

Specifies the number of days the Steel-Belted Radius Carrier server retains each rejection report.

Default value is 1 (one day).

LineSize

Specifies the maximum size of a single log line. The allowable range is 1024 to 32768.

Default value is 4096.

Note: Logging will fail if this value is exceeded.

LogFilePermissions

Specifies the owner and access permission setting for the authentication rejection report (rejects_yyyymmdd.csv) file.

Enter a value for the LogFilePermissions setting in owner:group permissions format, where:

  • owner specifies the owner of the file in text or numeric format.

  • group specifies the group setting for the file in text or numeric format.

  • permissions specifies what privileges can be exercised by Owner/Group/Other with respect to the file in text or numeric format.

    For example, user:1007 rw-r- - - - - specifies that the file owner (user) can read and edit the log file, members of group 1007 can read (but not edit) the log file, and that other users cannot access the log file.

MaxMinutesPerFile

Specifies how often the current report is closed and a new file opened.

  • If set to n (where n is a number greater than 0), a new report file is generated every n minutes.

  • If set to 0, a new report file is generated once every 24 hours, at midnight local time.

Default value is 0.

Note: The value entered for MaxMinutesPerFile determines the file name of the generated report.

QuoteBinary

  • If set to 1, binary values written to the report are enclosed in quotes.

  • If set to 0, quotes are not used.

Set this value according to the format expected by the application that processes the entries.

Default value is 1.

QuoteInteger

  • If set to 1, integer values written to the report are enclosed in quotes.

  • If set to 0, quotes are not used.

Set this value according to the format expected by the application that processes the entries.

Default value is 1.

QuoteIPAddress

  • If set to 1, IP addresses written to the report are enclosed in quotes.

  • If set to 0, quotes are not used.

Set this value according to the format expected by the application that processes the entries.

Default value is 1.

QuoteText

  • If set to 1, text strings written to the report are enclosed in quotes.

  • If set to 0, quotes are not used.

Set this value according to the format expected by the application that processes the entries.

Default value is 1.

QuoteTime

  • If set to 1, time and date values written to the report are enclosed in quotes.

  • If set to 0, quotes are not used.

Set this value according to the format expected by the application that processes the entries.

Default value is 1.

UTC

  • If set to 1, time and date values are provided according to UTC (GMT).

  • If set to 0, time and date values reflect local time.

Default value is 0.