User Access Manager Help >> Operation Guide >> User Access Log >> Access Details >>Access Details Offline Cause

Access Details Offline Cause

User Request(Requested by the user)

• Description: User offline according to the user's offline request, Acct-Terminate-Cause(49) = 1.
• Possible reason:
  1. The user clicks Disconnect on the iNode client to go offline.
  2. When a security policy server is used in authentication, the heartbeat packet between the iNode client and the security policy server times out because of network unreachability.
• Recommended action: For network unreachability between the iNode client and the security policy server, the iNode client prompts the message: No response is received from the server, and you will be forced to log off. To resolve this issue:
  1. Use the ping, tracert, or other commands to verify the reachability of the route between the iNode client and the security policy server.
  2. If the route is reachable, identify whether the port (UDP port 9019) on the iNode client for communication with the security policy server is blocked by firewalls. For example, you can check the software firewalls on the PC, firewalls in the network, and software firewalls on EIA.

Lost Carrier(There is a problem with the handshake between the client and the switch)

• Description: Handshake failures occur between the iNode client and the switch, Acct-Terminate-Cause(49) = 2.
• Possible reason:
  1. In a network where the endpoint is indirectly connected to the authentication switch, the network cable of the endpoint is unplugged or the endpoint is in standby mode. Because the switch port connected to the endpoint is still up temporarily, the switch sends an EAP heartbeat packet but the iNode client cannot send a response packet due to network unavailability or device standby. For example, if you use a laptop as the endpoint and close the laptop lid, the laptop is in standby mode. The switch logs off the user after the heartbeat packet times out.
  2. The quality of the Layer 2 network between the authentication switch and the iNode client is poor. If multiple switches exist between the switch and the iNode client or a large volume of ARP attack packets exist in the network, EAP packets will be dropped. Or, if the performance of the endpoint's network card is poor or the CPU is occupied, the iNode client cannot obtain CPU resources to process EAP packets.
• Recommended action:
  1. Modify the heartbeat timeout time or fix unstable network conditions.
  2. Optimize the networking and improve hardware performance, use the dot1x timer handshake-period command to adjust the handshake timer, or use the dot1x retry command to adjust the maximum handshake attempts.

Lost Service(Service can no longer be provided)

• Description: Normal offline due to service stopping for the user, Acct-Terminate-Cause(49) = 3.
• Possible reason: The server providing services (L2TP, for example) actively initiates a service termination packet.
• Recommended action: None.

Idle Timeout(Idle timer has expired)

• Description: User offline due to idle timeout, Acct-Terminate-Cause(49) = 4.
• Possible reason: Use the corresponding command (the idle-cut enable command, for example) on the authentication device to enable the idle cut feature and set the relevant parameters. The device logs off users that do not meet the minimum traffic requirement in the idle timeout period. The command for enabling the idle cut feature varies by device model.
• Recommended action: Modify the idle timeout period on the authentication device.

Session Timeout(The session is terminated due to insufficient balance or expired access time range)

• Description: User offline due to insufficient balance or user access duration settings, Acct-Terminate-Cause(49) = 5.
• Possible reason:
  1. In a charging scenario, the user cannot continue to access the Internet due to insufficient balance.
  2. The user meets the requirements in the access period settings configured in the access policy.
  3. The user reaches the maximum online duration for a logon configured in the access policy on EIA, and session timeout=0 is carried in the accounting response packet sent by the server.
  4. The access time of the user (access account or guest) is not between the configured access start and end time, and session timeout=0 is carried in the accounting response packet sent by the server.
• Recommended action: Troubleshoot the charging policy, access period, single-logon maximum online duration, and access start and end time settings according to the corresponding possible reasons.

Admin Reset(The administrator performs a reset)

• Description: User offline due to the administrator's reset operation or other reasons, Acct-Terminate-Cause(49) = 6.
• Possible reason:
  1. The administrator resets the port or deletes the session.
  2. The server sends a forcible logoff packet to the access device to forcibly log off the user.
  3. Automatic screen lock or sleep mode is configured on the endpoint.
  4. In portal authentication, there are insufficient resources for hardware ACLs on the device (a switch rather than an AC), so a large number of users are forcibly logged off.
• Recommended action: None.

Admin Reboot(The administrator reboots the device)

• Description: The administrator reboots the device, Acct-Terminate-Cause(49) = 7.
• Possible reason: The administrator reboots the device or the timestamp carried in the RADIUS packet sent by the device is updated.
• Recommended action: None.

Port Error(Port erro)

• Description: Port error, Acct-Terminate-Cause(49) = 8.
• Possible reason: The device detects an error on the access port, for example, port down or card down.
• Recommended action: None.

Nas Error(An error is reported by NAS)

• Description: The NAS reports an error, Acct-Terminate-Cause(49) = 9.
• Possible reason:
  1. Roaming to a new AC occurs after the user has passed authentication and come online. The new AC initiates authentication, EIA clears the user's online information, and the user is logged off. (Applicable to non-memoized version of EIA).
  2. In wired 802.1X or portal authentication, because the device port connected to the endpoint is down, the device logs off all users on the port.
  3. With both 802.1X and MAC authentication enabled on an interface, when a dumb terminal passes MAC authentication and comes online, and then triggers 802.1X authentication, the terminal that has passed MAC authentication will go offline.
• Recommended action: Take the following actions according to the corresponding possible reasons:
  1. For offline before reauthentication in a non-fast roaming scenario, this is a normal event and no action is required.
  2. For user offline due to frequent port flapping, improve the link quality. For 802.1X authentication, to avoid such an event, use the link-delay command in interface view to set the physical state change suppression interval on the interface.

Nas Request(Requested by NAS)

• Description: User offline according to the NAS's request, Acct-Terminate-Cause(49) = 10.
• Possible reason:
  1. The NAS device stops the session due to unknown reasons.
  2. The NAS device sends acct off packets, and the server logs off all online users.
• Recommended action: None.

Nas Reboot(NAS reboots)

• Description: The NAS reboots, Acct-Terminate-Cause(49) = 11.
• Possible reason:
  1. The NAS device reboots abnormally
  2. The NAS device sends acctoff packets, and the server logs off all online users.
• Recommended action: None.

Port Unneeded(NAS ended session because resource usage fell below low-water mark)

• Description: The port is not in use, Acct-Terminate-Cause(49) = 12.
• Possible reason: Because the resource usage on the port is below the lowest level, the NAS stops the session. For example, such an event occurs when the port is judged as unneeded by bandwidth demand algorithms.
• Recommended action: None.

Port Preempted(NAS ended session in order to allocate the port to a higher priority use)

• Description: Resource preemption on the port, Acct-Terminate-Cause(49) = 13.
• Possible reason: The NAS stops all sessions on the port to assign the port to an application with a higher priority.
• Recommended action: None.

Port Suspended(NAS ended session to suspend a virtual session)

• Description: The port is suspended, Acct-Terminate-Cause(49) = 14.
• Possible reason: The online endpoint is disconnected from the switch abnormally because the link flaps or the port goes down and then comes up.
• Recommended action: None.

Service Unavailable(NAS was unable to provide requested service)

• Description: Service unavailability on the NAS, Acct-Terminate-Cause(49) = 15.
• Possible reason: The NAS cannot provide the required services.
• Recommended action: None.

Callback(NAS is terminating current session in order to perform callback for a new session)

• Description: Callback, Acct-Terminate-Cause(49) = 16.
• Possible reason: The network access server (NAS) terminates the current session to perform the callback operation for a new session.
• Recommended action: None.

User Error(Input from user is in error, causing termination of session)

• Description: Upon identifying a reauthentication request, the switch clears online information on the device and notifies EIA, Acct-Terminate-Cause(49) = 17.
• Possible reason: Upon identifying a reauthentication packet, the switch logs out the online user, and notifies EIA through an accounting-stop packet that contains the Acct-Terminate-Cause(49) attribute. EIA displays User Error as the offline cause on the access details page.
• Recommended action: None.

Host Request(Login Host terminated session normally)

• Description: The host goes offline, Acct-Terminate-Cause(49) = 18.
• Possible reason: Log in to the host and terminate the session.
• Recommended action: None.

Supplicant Restart(Supplicant restart)

• Description: Request for restart, Acct-Terminate-Cause(49) = 19.
• Possible reason: Request for reinitialization of the state machines.
• Recommended action: None.

Reauthentication Failure(Re-authentication failure)

• Description: Reauthentication fails, Acct-Terminate-Cause(49) = 20.
• Possible reason: A previously authenticated endpoint fails the reauthentication upon expiration of the reauthentication timer or termination of the reauthentication request by the administrator.
• Recommended action: None.

Port Reinitialized(Port reinitialized)

• Description: The port has been reinitialized, Acct-Terminate-Cause(49) = 21.
• Possible reason: The MAC address of the port has been reinitialized.
• Recommended action: None.

Port Disabled(Port Disabled)

• Description: The port has been administratively shut down, Acct-Terminate-Cause(49) = 22.
• Possible reason:
  1. The port has been administratively shut down.
  2. Port is disabled by administrator.
• Recommended action: None.

Switch Access Details(Access details is regenerated at 00:00)

• Description: Access details records are added at midnight, Acct-Terminate-Cause(49) = 52.
• Possible reason: With Renew Access Details at Midnight enabled on INC, EIA adds new access details records for all online users at 00:00 every day. Then Switch Access Details will be displayed in the Offline Cause field for each user.
• Recommended action: None.

Enabling Proxy(Enabling Proxy)

• Description: The endpoint uses a proxy server, Acct-Terminate-Cause(49) = 54.
• Possible reason: In 802.1X authentication, the switch logs off the user upon receiving the notification from the iNode client through a handshake packet that the user endpoint uses a proxy server.
• Recommended action: None.

Enabling Double NICs(Enabling Double NICs)

• Description: The endpoint uses multiple NICs, Acct-Terminate-Cause(49) = 55.
• Possible reason: In 802.1X authentication, the switch logs off the user upon receiving the notification from the iNode client through a handshake packet that the user endpoint uses multiple NICs.
• Recommended action: None.

Setting Proxy in Browser(Setting Proxy in Browser)

• Description: The endpoint IE browser uses a proxy server, Acct-Terminate-Cause(49) = 56.
• Possible reason: In 802.1X authentication, the switch logs off the user upon receiving the notification from the iNode client through a handshake packet that a proxy server is configured in the proxy settings of the endpoint IE browser.
• Recommended action: None.

Invalid Client Version(Invalid client version)

• Description: The endpoint uses an invalid client (a cracked version of iNode, for example), Acct-Terminate-Cause(49) = 57.
• Possible reason: In 802.1X authentication, the switch detects that the user uses an invalid iNode client from a handshake packet, logs off the user, and notifies EIA through an accounting-stop packet (containing attribute Acct-Terminate-Cause(49)). EIA clears the user's local online information, and adds the user into the denylist.
• Recommended action: None.

Unknown Error(Unknown error)

• Description: Unknown error, 255.
• Possible reason: Unknown error 255 is normally caused by user association triggered by the device. The acct-terminate-cause field in the accounting stop packet is 255.This error might occur if a switch of an early version that supports EAP packets of up to 56 bytes is used. If the server deploys a long hw-user-notify message that exceeds 56 bytes, such as a user prompt, the authentication device determines that an unknown error occurs and logs off the user.
• Recommended action: Verify the maximum length of EAP packets supported by the device. If the message exceeds the maximum length, shorten the message.

Online Check(The user fails the online status check)

• Description: Online check, 256.
• Possible reason:
  1. If EIA fails to receive accounting updates for an account from any authentication device within the aging timeout, it clears the online list for the account and records the offline reason in the access details as online check. This mechanism is used to avoid user data residual on EIA if the link fails between an authentication device and EIA or an authentication device not configured with accounting-on restarts.
  2. For BYOD anonymous users, the system clears online records every day at 02:00 a.m. and records the offline reason as online check.
  3. The system clears users that have been online for over 24 hours with a session time of 0 if no accounting update is received for the users, and records the offline reason as online check.
• Recommended action: None.

Online Delete(Online record for the user is deleted)

• Description: Online delete, 257.
• Possible reason: The Clear Online Info button is manually clicked by the administrator on the Local tab. The system then clears all the online records for the account and records the offline reason as online delete.
• Recommended action: None.

Online Limit Exceeded(Maximum number of online users has been reached)

• Description: The max. number of online users using the same account is reached,258.
• Possible reason: EIA logs off the user that has come online and clears the user's online information in the following situations:
  1. With Log off Duplicate Account enabled on the System Parameters page and Max. Concurrent Logins set to 1 for an account, a user using the account has come online from an endpoint, and a duplicate account user on the same endpoint tries to come online.
  2. With Log off Duplicate Account enabled on the System Parameters page and Max. Number of Online Endpoints set to 1 for the access scenario used by an account, a user using the access scenario has come online, and a duplicate account user using the access scenario tries to come online.
• Recommended action: None.

Policy Server Logoff(Forced by the policy server)

• Description: When the device does not send accounting packets and the user initiates an offline request, the security policy server logs off the user, 259.
• Possible reason: When the device does not send accounting packets, the user's online information is maintained by heartbeat packets sent by the security policy server. In this scenario, if the endpoint user performs relevant operations to go offline or the endpoint initiates an offline request, EIA clears the user's online information upon receiving a forcible offline message (with message code 21687) from the security policy server.
• Recommended action: None.

Duplicate Authentication(Duplicate authentication)

• Description: EIA clears the user's local online information when it finds that the authentication request is duplicate, 260
• Possible reason: When the device has cleared the user's online information but the user is still displayed as online on EIA, and the device initiates authentication again, EIA judges the authentication packet as duplicate. The account name, suffix name, NAS IP, MAC, and IP in the authentication packet are the same as those in previous authentication packets of the user. In this case, EIA clears the user's online information.
• Recommended action: None.