Audit messages

The protocol handler that receives and processes RADIUS requests did not start up. This may be because of a missing license key in the Authentication Server component record, or because the license key in that component record does not enable RADIUS support. Look for the line RADIUS=Yes in the license key details.

A common reason for this error, when RADIUS is enabled in the license key, is that the RADIUS ports are already in use by another process on the machine.

Alternatively, the configuration settings may be invalid.

When a RADIUS profile name is in the user account but that name is not found in SBR, the login is failed with this error.

This can also occur if there is no RADIUS profile in the user account, but there is a default RADIUS profile configured that was not found in SBR.

An attempt to connect to an ODBC data source failed. This may be caused by any of the following:

• The database is unavailable for some reason such as rebooting.
• The database is too busy temporarily to service the connection.
• There are networking problems.
• Your credentials used in connecting to the database are invalid.

An attempt by the Replication  library to connect to a destination server failed. This may be caused by any of the following:

• The incorrect IP address or port is configured.
• The destination server is unavailable for some reason such as rebooting.
• There are networking/connectivity problems, such as an intermediate firewall blocking the port.

An established connection to a destination server has broken. This may be caused by any of the following:

• The destination server suddenly becomes unavailable for some reason such as rebooting.
• There is a temporary networking or connectivity problem.

A RADIUS request was received but there is no RADIUS client component for the source of the request, and there is no “default” RADIUS client component. The request is discarded.

This audit message will be repeated at intervals when the same unknown source sends requests, but not for every request.

This can occur when the forwards a request to a RADIUS server, and the RADIUS server forwards the request back, due to its own proxy rules. It can also occur indirectly in a longer 'proxy chain'. The request is discarded, otherwise an infinite loop could be created.

If this occurs, there must be an error in the proxy configuration of the RADIUS server(s).

The activation notification could not be sent, because no destination attribute is specified in the respective user account.

This audit message is usually recorded during delayed activation, if the activation/registration operation completes successfully, but the notification messages cannot be sent.

A push notification message was not sent because a duplicate device ID or DIGIPASS Push Notification Identifier (PNID) for the relevant authenticator license was detected. This can for example occur if the user deletes the app that is used with the relevant authenticator from their mobile device.

Push notification messages are sent only once per license to the same device.

A user just exceeded the User Lock Threshold of failed logins and their user account is now locked. Administrator action is required to unlock the account.

When a client application is configured to use auto-unlock and the user account becomes locked, the audit message also contains the date and time when the end user will be able to authenticate again to auto-unlock their user account.

This message is audited when no applicable authenticator application can be found to generate offline authentication data. A authenticator application is applicable for generating offline authentication data, if it is a Response-Only authenticator application without scoring support.

This occurs, for instance, when a user authenticates using push notification and no such authenticator application is present on the assigned primary authenticator.

OneSpan Authentication Server decided not to handle an authentication request due to policy and/or user account settings. The main reasons why this may occur are: the effective Local Authentication and back-end authentication settings were both None; the user failed the Windows Group Check, using the Pass Requests for users not in listed groups back to host system option.

Note that the effective settings are the effective settings of the policy, unless the user account overrides the policy.

The grace period expires automatically when a one-time password (OTP) is used to authenticate for the first time, i.e. after the OTP has been successfully validated (if it has not been set manually to expire prior to that in the relevant policy). It also expires after a successful MDL activation, either using an OTP or a signature validation. After the grace period has expired, depending on the Local Authentication settings in the relevant policy, users can then either continue to use both their static password or their authenticator (DIGIPASS or Password), or must only use the authenticator (DIGIPASS/Password during Grace Period or DIGIPASS Only) to log on.

A user who has been using backup Virtual Mobile Authenticator(Backup VDP) has used their normal OTP login using the authenticator again. When the effective Backup VDP Enabled setting is Yes – Time Limited, using the normal OTP login ends their time limit immediately. This is done by setting the Enabled Until date on their authenticator to the current date.

An administrator action is required to reset their Enabled Until date, if the user is to be allowed to use backup Virtual Mobile Authenticator again.

The Authentication library has failed a Live Audit connection request. The audit message has details of the failure and there may be a preceding E000001 with error details.

Note that this may occur even when preceded by a successful authentication (S002001) message, for example if the user's credentials were OK but they did not have Administrative Logon or Live Audit Connection privilege.