List of Portnox Cloud alerts

In this topic, you will find the full list of Portnox Cloud alerts that can appear on the Alerts screen along with explanations that may help you troubleshoot.

Alert Explanation
802.1X access attempt denied - AD account is expired An attempt to access the network using 802.1X was denied because the associated account in the integrated Active Directory has expired. Please review the account configuration in your Active Directory.
802.1X access attempt denied - AD account is locked out An attempt to access the network using 802.1X was denied because the associated account in the integrated Active Directory is locked out. Please review the account configuration in your Active Directory.
802.1X access attempt denied - AD account password is expired An attempt to access the network using 802.1X was denied because the password of the associated account in the integrated Active Directory has expired. Please review the account configuration in your Active Directory.
802.1X access attempt denied because ’Device Requirement’ option is not followed An attempt to access the network was denied because the supplicant device is enrolled with AgentP and is part of a group for which access for AgentP-based devices is prohibited. Check your group configuration.
802.1X access attempt denied due to expired credentials This alert can occur under two circumstances: either the Cloud account for the device had an expiration date that has passed, or the wireless adapter of an AgentP device is configured to use MSCHAPv2 authentication, and AgentP was unable to update the credentials for some reason.
802.1X access attempt denied due to Google Workspace account misconfiguration An attempt to access the network using 802.1X authentication was denied because the Less secure app access option is disabled in Google Workspace for the user, preventing credential validation during authentication. To resolve this, enable the Less secure app access option as outlined in the documentation.
802.1X access attempt denied due to MFA policy An attempt to access the network using 802.1X authentication was denied because the account is an Okta-based account, multi-factor authentication (MFA) is enabled in Okta, and the authentication attempt does not include MFA.
802.1X access attempt denied due to missing credentials An attempt to access the network using 802.1X credential-based authentication was denied because the supplicant device provided no credentials. Check your supplicant device network configuration.
802.1X access attempt denied due to missing supplicant certificate An attempt to access the network using 802.1X EAP-TLS authentication was denied because no supplicant certificate was provided by the supplicant device. Check your supplicant device network configuration.
802.1X access attempt denied due to supplicant certificate invalid An attempt to access the network using 802.1X EAP-TLS authentication was denied because the data in the supplicant’s certificates (Subject/SAN) did not match any devices or accounts in Portnox Cloud. To resolve this, ensure that the supplicant certificate is issued with the correct Subject/SAN information. This error is most common if SCEP details are not configured correctly in UEM software. For more information, refer to a topic for your UEM software in the onboarding section.
802.1X access attempt denied due to supplicant certificate issuer untrusted An attempt to access the network using 802.1X EAP-TLS authentication was denied because the supplicant’s certificates were not issued by any root authorities trusted by the organization. This can occur, for example, if the supplicant’s certificate used in EAP-TLS was issued by a different root Certificate Authority (CA) than the one configured in Portnox Cloud. To resolve this, verify that your supplicant certificate is issued by the same root CA as the one configured in Cloud. For more information about certificates, refer to the following topic: Types of certificates.
802.1X access attempt denied due to supplicant certificate untrusted An attempt to access the network using 802.1X EAP-TLS authentication was denied because the supplicant’s certificate failed the trust validation. This can happen if one of the certificates in the supplicant’s trust chain is not recognized. To resolve the issue, ensure that if you’re using your own Certificate Authority (CA) to generate certificates, all certificates in the chain (including intermediate ones) are added to the Cloud configuration. For more information on certificates, refer to the following topic: Types of certificates.
802.1X access attempt denied due to unsupported authentication type An attempt to access the network using 802.1X authentication was denied because the supplicant device used an unsupported authentication type. This commonly occurs when a supplicant device is configured to use MSCHAPv2 authentication, but the authentication repository is Entra ID, Google Workspace, or Okta Workforce Identity, which do not support MSCHAPv2. For more information, refer to relevant onboarding section topics for your operating system.
802.1X access attempt denied due to wrong credentials An attempt to access the network using 802.1X credential-based authentication was denied due to incorrect credentials. Verify if the user’s password in the authentication repository has changed, and update the supplicant device configuration with the new password if necessary. For more information, refer to relevant onboarding section topics for your operating system.
802.1X access attempt denied to unauthorized SSID The supplicant device attempted to access a Wi-Fi network with the specified SSID using 802.1X, but the attempt was denied because the account belongs to a group that is restricted from Wi-Fi access. Check your group configuration.
802.1X access attempt denied. LDAP account not found in CLEAR repository and LDAP autoenrollment disabled An attempt to access the network using 802.1X was denied because there is no such Cloud account in Portnox Cloud internal repository, and the option to enroll devices automatically using LDAP and external repositories is disabled. You can change this setting by editing the group that the account belongs to.
802.1X authentication success The device was successfully authenticated and is now connected to the network. This alert is for information purposes only and requires no action.
802.1X wired access attempt denied An attempt to access the network using 802.1X was denied because the group that the user/device belongs to does not allow for wired network authentication. Check your group configuration.
802.1X wired access attempt denied due to forbidden authentication type An attempt to access the 801.X wired network was denied because the authentication type used in the attempt is not allowed for the group (Groups > group_name > 802.1X Wired network access > Allowed authentication types).
802.1X wireless access attempt denied due to forbidden authentication type An attempt to access the 801.X wireless network was denied because the authentication type used in the attempt is not allowed for the group (Groups > group_name > 802.1X Wireless network access > network_name > Allowed authentication types).
Access denied - user name ambiguous The user provided only their username without the domain part, and there are multiple users with the same username across different repositories. As a result, Portnox Cloud cannot uniquely assign the user to a specific repository.
Access denied since Directory Broker does not respond 802.1X access was denied because the Portnox Active Directory broker is not responding, so access to the organization’s Active Directory is not possible. To troubleshoot connectivity issues, see the following topic: How to check if the AD Broker connects to the cloud.
Access is denied due to the organization exceeding its subscription plan quota Access was denied because the subscription plan quota have been exceeded. Contact your Portnox representative for options to extend your quota.
Access requests become to be served by CLEAR Cloud service Access to the Cloud RADIUS server has been restored. As a result, all access requests are now being forwarded by the local RADIUS server to the Cloud RADIUS server and are being handled by the Cloud RADIUS server. This alert is for information purposes only and requires no action.
Access requests become to be served by Local RADIUS service Access to the Cloud RADIUS server has been lost due to a network or Internet outage. Consequently, all access requests are now being served by the local RADIUS server using its cache. This alert is for information purposes only and requires no action.
Access to 802.1X denied - access has been blocked by Azure Conditional Access policies A supplicant device attempted to connect to the network using 802.1X, but access was denied because the associated account in Entra ID was blocked by Azure Conditional Access policies. Please review your Conditional Access policies in Entra ID.
Access to 802.1X denied - account is not found A supplicant device attempted to connect to the network using 802.1X, but access was denied because Portnox Cloud does not have an account that matches the username provided by the supplicant device. Check your authentication repository and your supplicant device configuration (see topics in the onboarding section).
Access to 802.1X denied - agentless access is disabled A supplicant device attempted to connect to the network using 802.1X, but access was denied because the device is not enrolled with AgentP, and agentless access is disabled for the group associated with the account. To resolve this, either enroll AgentP on the device or enable agentless access for the relevant group.
Access to 802.1X denied - total amount of allowed devices per-account is reached A supplicant device attempted to connect to the network using 802.1X, but access was denied because the group associated with the account has reached the configured maximum allowed number of devices. Change the configuration of the group to connect with additional devices.
Access to 802.1X denied by Administrator This is an obsolete alert. If it unexpectedly appears on your Alert screen, please contact Portnox support for further investigation.
Access to 802.1X denied due to device blocked A supplicant device attempted to connect to the network using 802.1X, but access was denied because a Portnox Cloud administrator manually blocked the device or the account.
Access to 802.1X denied due to missing device policy This is an obsolete alert. If it unexpectedly appears on your Alert screen, please contact Portnox support for further investigation.
Access to 802.1X denied due to policy violation A supplicant device attempted to connect to the network using 802.1X, but access was denied because the device did not meet the requirements of the risk assessment policy. This alert provides details on the specific requirements the device must meet to gain network access.
Access to VPN denied - agentless access is disabled A VPN client attempted to connect to the VPN server, but access was denied because the device is not enrolled with AgentP, and agentless access is disabled for the group associated with the account. To resolve this, either enroll AgentP on the device or enable agentless access for the relevant group.
Account blocked by admin This Portnox Cloud account was blocked by the Cloud administrator and cannot be used until it is unblocked.
Account was deleted This Portnox Cloud account was deleted by the Cloud administrator.
Account’s certificate has expired The supplicant certificate associated with this account has expired. Issue a new supplicant certificate for the user or device, for example, using AgentP or SCEP.
Account’s certificate is about to expire The supplicant certificate associated with this account will expire soon. Issue a new supplicant certificate for the user or device, for example, using AgentP or SCEP.
Account’s certificate was revoked The supplicant certificate associate with this account was revoked (invalidated). Issue a new supplicant certificate for the user or device, for example, using AgentP or SCEP.
Activation code have expired When enrolling AgentP using an email address, an activation code is sent to your email. The code has expired, so you will need to restart the enrollment process and receive a new code via email.
Activation code reached attempts limits When enrolling AgentP using an email address, an activation code is sent to your email. The code has been used too many times, so you will need to restart the enrollment process and receive a new code via email.
Admin credentials expiring This alert is deprecated. Admin credentials currently have no expiration date. This alert may appear for older tenants, where administrator account credentials still have expiration dates.
Admin credentials have expired This alert is deprecated. Admin credentials currently have no expiration date. This alert may appear for older tenants, where administrator account credentials still have expiration dates.
AgentP firmware update has occured The AgentP on your managed device has been automatically updated to the latest version. These updates are typically carried out by Portnox as soon as a new version of AgentP becomes available. This alert is for information purposes only and requires no action.
Application version changed AgentP running on your managed device has detected that a different version of an existing application was installed on that managed device. This usually occurs when applications are updated to newer versions. This alert is triggered only if the relevant options are enabled in the risk assessment policy.
Applications export was successfully completed This alert is generated when the Cloud administrator uses the Export > Export devices option on the Devices screen. Since the export process may take some time, the alert notifies the administrator once the process is complete and provides a URL to download the exported data.
Authentication with unrecognized LDAP domain name During authentication, the user provided a domain that is not present in any of the repositories configured in Portnox Cloud.
Azure Active Directory synchronization completed Portnox Cloud has completed its periodical synchronization with your Entra ID authentication repository (previously known as Azure Active Directory). This synchronization occurs periodically to ensure that Portnox Cloud has up-to-date authentication information from your directory. This alert is for information purposes only and requires no action.
Azure Active Directory synchronization failed Portnox Cloud attempted to carry out its periodical synchronization with your Entra ID authentication repository (previously known as Azure Active Directory) but the attempt failed. Check if your Entra ID configuration has changed.
Azure membership validation failed If the risk assessment policy is set to check for Entra ID (formerly Azure Active Directory) membership, AgentP periodically verifies this membership on each AgentP-managed device. If the validation process fails, for instance due to network issues, this alert is generated.
Client supplicant certificate was created This alert is triggered when a new certificate is generated for an account through the self-onboarding web page.
Device changed risk status A device subject to a risk assessment policy has experienced a change in its risk score due to modifications on the device, resulting in a shift in its risk status. This change could involve moving between the three statuses: from Allow to Alert, Alert to Block, or vice versa.
Device enrollment failed due to problems with LDAP account The user attempted to enroll AgentP using an LDAP account by providing a username and password directly. However, the enrollment failed because the account in the LDAP repository is either disabled, locked, or requires a password reset.
Device has become archived The device was archived by Portnox Cloud because it has been inactive for an extended period of time. For more information about retention periods, see the following topic: Device retention periods.
Device has become dormant The device has been marked as dormant by Portnox Cloud because AgentP on the device has not communicated with Portnox Cloud for the specified time period, which is typically 2 days. For more information about retention periods, see the following topic: Device retention periods.
Device has changed enrollment status Each device subject to a risk assessment policy can be in one of five enrollment states: enrolled, enrolling, agentless, archived, or unregistered. If the device’s enrollment status changes due to modifications on the device itself, this alert can be generated. This alert is triggered only if the relevant options are enabled in the risk assessment policy.
Device has changed its device fingerprint Portnox Cloud detected that the device has changed its IoT profiling fingerprint. This may be an attempt at MAC spoofing. Investigate the NAC and the affected device.
Device has changed its geo-location The mobile device subject to a risk assessment policy has changed its geographical location. This alert is triggered only if the relevant options are enabled in the risk assessment policy.
Device has changed its GSM location The mobile device subject to a risk assessment policy has changed the GSM network that it is connected to. This alert is triggered only if the relevant options are enabled in the risk assessment policy.
Device has changed organization presence status The device subject to a risk assessment policy has switched its network connection from an organization-managed network to a non-managed or guest network, or vice versa. This alert is triggered only if the relevant options are enabled in the risk assessment policy.
Device has connected to another network This is an internal alert for testing purposes only. If you see this alert in your tenant, please contact Portnox Support for a detailed investigation.
Device has unenrolled The user has manually unenrolled their device by clicking on the Deactivate button in AgentP.
Device is unauthorized azure computer The device was not recognized as as valid member of the organization’s Entra ID directory. This may affect the device’s risk score in the relevant risk assessment policy.
Device is unauthorized domain computer AgentP on the managed device detected that the device was not recognized by Active Directory as as valid member of a specific domain. This alert is triggered only if the relevant options are enabled in the risk assessment policy.
Device jailbroken AgentP on the managed device detected that the iOS device was jailbroken. Jailbreaking means removing software restrictions that are intentionally put in place by the device manufacturer. This alert is triggered only if the relevant options are enabled in the risk assessment policy.
Device joined Azure Active Directory AgentP on the managed device detected that the device joined an Entra ID (formerly known as Azure Active Directory) directory. This may affect the device’s risk score in the relevant risk assessment policy.
Device joined LDAP Directory domain AgentP on the managed device detected that the device joined a LDAP directory domain. This may affect the device’s risk score in the relevant risk assessment policy.
Device left Azure Active Directory AgentP on the managed device detected that the device left an Entra ID (formerly known as Azure Active Directory) directory. This may affect the device’s risk score in the relevant risk assessment policy.
Device left LDAP Directory domain AgentP on the managed device detected that the device left a LDAP directory domain. This may affect the device’s risk score in the relevant risk assessment policy.
Device OS name and version has changed AgentP running on your managed device has detected that the operating system of that managed device has a name and a version different than the one previously identified. This rarely occurs when operating systems are updated to newer versions with different names. This alert is triggered only if the relevant options are enabled in the risk assessment policy.
Device risk score reached "Alert" level The configuration of the specified device meets the conditions for the Alert level of the risk assessment policy configured for that device. This alert provides details on specific conditions that need to be addressed in order to lower the device’s risk score and move it out of the Alert category.
Device risk score reached "Block" level The configuration of the specified device meets the conditions for the Block level of the risk assessment policy configured for that device, resulting in the device being blocked from accessing the network. This alert provides details on the specific conditions that need to be addressed to lower the device’s risk score and move it out of the Block category.
Device roaming status changed AgentP running on your managed mobile device has detected a change in the phone’s roaming status. This means the device has either started roaming or stopped roaming compared to its previous status. This alert is triggered only if the relevant options are enabled in the risk assessment policy.
Device running with insufficient disk space AgentP running on your managed device has detected that free disk space is low. The device needs sufficient free space to apply security updates. Please free up space on the device to ensure it can continue to receive updates. This alert is triggered only if the relevant options are enabled in the risk assessment policy.
Device was blocked by admin A Portnox Cloud administrator selected the device on the Devices screen and clicked the Block button.
Device was blocked due to changed device fingerprint Portnox Cloud detected that the device has changed its IoT profiling fingerprint and has blocked the device from access. This may be an attempt at MAC spoofing. Investigate the NAC and the affected device.
Device was blocked due to excessive activity Portnox Cloud features an anti-DoS protection mechanism for its RADIUS servers. If a device sends RADIUS authentication or accounting requests too frequently, it is blocked at the load balancer firewall level. The default limits are: 60 successful authentication requests per minute, 30 failed authentication requests per minute, and 120 accounting requests per minute.
Device was removed during LDAP directory synchronization During the periodic synchronization between Portnox Cloud and the configured LDAP directory, Portnox Cloud detected that the specified device is no longer listed in the LDAP directory, and as a result, the device was removed from Portnox Cloud as well. This alert is for information purposes only and requires no action.
Device was successfully validated as azure member AgentP running on your managed device has detected that the device was successfully validated as a member of the organization’s Entra ID directory (formerly Azure Active Directory). Such checks are conducted periodically by AgentP. This alert is triggered only if the relevant options are enabled in the risk assessment policy.
Device was successfully validated as domain member AgentP running on your managed device has detected that the device was successfully validated with Active Directory as a member of a specific domain. Such checks are conducted periodically by AgentP. This alert is triggered only if the relevant options are enabled in the risk assessment policy.
Device’s client certificate has expired A certificate generated by AgentP on the device has expired, and AgentP was unable to request a new certificate. This situation may occur if the device was turned off for an extended period, causing the certificate to expire while AgentP was not running and therefore unable to request a renewal.
Directory Broker client has reported its status This is an obsolete alert. If it unexpectedly appears on your Alert screen, please contact Portnox support for further investigation.
Directory Broker machine requires update Your Directory Broker is updated automatically and remotely by Portnox. This alert is highly unlikely to occur and would only trigger if the automatic update process fails for some reason.
Domain membership validation failed AgentP running on your managed device tried to check if the device is a member of a specific Active Directory domain, but the check failed due to circumstances such as network connectivity issues. Such checks are conducted periodically by AgentP. This alert is triggered only if the relevant options are enabled in the risk assessment policy.
Evaluation period is about to expire Your Portnox Cloud evaluation period will expire soon. Contact your Portnox representative for information about purchasing options.
External sign in failed An attempt to authenticate using an external authentication repository (Entra ID, Google Workspace, Okta, or on-premises Active Directory) on the self-onboarding web page failed.
External sign in success An attempt to authenticate using an external authentication repository (Entra ID, Google Workspace, Okta, or on-premises Active Directory) on the self-onboarding web page was successful.
Failed radius authentication request This is an internal alert for testing purposes only. If you see this alert in your tenant, please contact Portnox Support for a detailed investigation.
Failed to enroll device in unattended mode An attempt to enroll Portnox AgentP in unattended mode has failed because the device is not present in the organization’s Active Directory or Entra ID directory. Check your directory information.
Failed to synchronize The Portnox Directory Broker The Portnox Active Directory broker attempted to synchronize with Portnox Cloud, but the synchronization attempt failed. Check network connectivity and the status of the machine where the broker runs.
Failed to update device compliance status from Intune The Microsoft Intune integration was unable to update the device’s compliance status. Please check for any configuration changes in your Intune instance that may have disrupted the integration’s functionality.
Google Workspace access token expired This alert is deprecated. If you see this alert in your tenant, please contact Portnox Support for a detailed investigation.
Google Workspace integration is not configured properly This alert occurs during Google Workspace synchronization if at least one user in Google Workspace has the Less secure app access option disabled.
Guest authentication failed The specified user attempted to connected to the configured guest network (captive portal) but the attempt failed. Potential reasons include a wrong password or an internal error. Check your guest network configuration.
Guest authentication failed because guest account not found The specified user attempted to connect to the configured guest network (captive portal), but the guest username they provided was not recognized. Check your guest network configuration.
Guest authentication failed due to organization license A user attempted to connect to the configured guest network (captive portal), but access was denied because the number of previous guest users has reached the limit defined by the organization’s license.
Guest authentication success The specified user has successfully connected to the configured guest network (captive portal). This alert is for information purposes only and requires no action.
Guest credentials have expired When adding a guest user on the Guests screen (by clicking on the + icon), you can set the guest account to have an Expiration date that is Limited. This alert occurs when that expiration date is reached.
Guest forbidden attempt to access employees wireless network This alert occurs if the captive portal is set up on the same SSID that is specified for an organization’s Cloud group in its 802.1X Wireless network access setting section. Consequently, guest authentication is being attempted on an SSID configured for a Cloud-managed employee network.
Host file info was changed AgentP running on your managed device has detected changes in the local hosts file on the managed device. Make sure those changes are authorized and are not a result of a DNS hijacking attack. This alert is triggered only if the relevant options are enabled in the risk assessment policy.
Integration credentials expiring This expiration information refers to the credentials defined in Settings > GENERAL SETTINGS > Create credentials to access the CLEAR cloud service from external services.
Integration credentials have expired This expiration information refers to the credentials defined in Settings > GENERAL SETTINGS > Create credentials to access the CLEAR cloud service from external services.
Intune device obtains status ’Compliant’ The supplicant device managed by Microsoft Intune and recognized by Portnox Cloud is compliant with the Intune compliance policy. This alert is for information purposes only and requires no action.
Intune device obtains status ’Non-Compliant’ The supplicant device managed by Microsoft Intune and recognized by Portnox Cloud is not compliant with the Intune compliance policy. This alert is for information purposes only and requires no action.
Intune device was unenrolled The supplicant device managed by Microsoft Intune and recognized by Portnox Cloud has been unenrolled from Intune, affecting the risk assessment policy.
Intune synchronization completed Portnox Cloud has completed its periodical synchronization with your Microsoft Intune instance. This synchronization occurs periodically to ensure that Portnox Cloud has up-to-date information on device compliance.This alert is for information purposes only and requires no action.
Intune synchronization failed The attempt to synchronize data with your integrated Microsoft Intune instance has failed. Please verify that the synchronization is up to date, ensure that the credentials have not changed, and check for any other configuration changes that may have caused the issue.
LDAP directory trust is broken This alert is generated when MSCHAPv2 authentication via the AD Broker fails. Please contact Portnox Support for a detailed investigation.
License usage - Device limit reached The number of devices managed in your Portnox Cloud instance has reached the limit allowed by your license. Contact your Portnox representative to increase your limits or remove obsolete devices from your Cloud instance. This alert is generated daily if the condition is met.
License usage – 90% threshold reached The number of devices managed in your Portnox Cloud instance will soon reach the limit allowed by your license. Contact your Portnox representative to increase your limits or remove obsolete devices from your Cloud instance. This alert is generated daily if the condition is met.
Local user account(s) on the device changed group membership AgentP running on your managed device has detected that a user has been reassigned to a different group by the device administrator. This alert is generated only for macOS and Linux devices with local user accounts that have group memberships. This alert is triggered only if the relevant options are enabled in the risk assessment policy.
Local user account(s) were deleted from the device AgentP running on your managed device has detected that a local user account has been deleted by the device administrator. This alert is triggered only if the relevant options are enabled in the risk assessment policy.
MAC bypass denied When the device attempted to access the network, its MAC address was not recognized, as it was not associated with any existing MAC-based accounts. As a result, Portnox Cloud denied the device’s access.
MAC bypass denied - MAC address is expired When the device attempted to access the network, its MAC address was recognized but had expired. This occurred because an expiration date was set when the MAC address was added to the MAC-based account.
NAS was added to CLEAR A new NAS device was detected by Portnox Cloud and added to the list of your NAS devices. This alert is for information purposes only and requires no action.
New account was created This is an internal alert for testing purposes only. If you see this alert in your tenant, please contact Portnox Support for a detailed investigation.
New application was installed on the device AgentP running on your managed device has detected that a new application was installed on that managed device. This alert is triggered only if the relevant options are enabled in the risk assessment policy.
New certificate was installed on the device AgentP running on your managed device has detected that a new certificate was installed in the operating system. This alert is triggered only if the relevant options are enabled in the risk assessment policy.
New device fingerprint was discovered by IoT profiling The IoT profiling mechanism in Portnox Cloud detected a new device fingerprint. This happens when IoT profiling is turned on for a specific MAB account.
New device was enrolled A new managed device was enrolled in Portnox Cloud by AgentP installed on that device. This alert is for information purposes only and requires no action.
New Intune device was enrolled A new managed device was enrolled in Microsoft Intune and subsequently in Portnox Cloud through the Intune integration. This alert is for information purposes only and requires no action.
New local user account(s) were created on the device AgentP running on your managed device has detected that new user accounts were created on this device. This alert is triggered only if the relevant options are enabled in the risk assessment policy.
New peripheral device was attached to the device AgentP running on your managed device has detected that a new peripheral device was attached to your managed device, such as an external USB disk. This alert is triggered only if the relevant options are enabled in the risk assessment policy.
New port was opened on the device AgentP running on your managed device has detected that a new port was opened on your device’s firewall. This alert is triggered only if the relevant options are enabled in the risk assessment policy.
New SIM card was inserted in the device AgentP running on your managed mobile device has detected that a new SIM card was inserted into your device’s SIM port. This alert is triggered only if the relevant options are enabled in the risk assessment policy.
Okta access attempt denied due to access by not enrolled device This alert refers to the Okta MFA RADIUS feature, configured here: Settings > INTEGRATION SERVICES > CLEAR OKTA SERVICE. This service allows you to use Portnox AgentP as a second factor when signing in to Okta. The alert occurs if the AgentP used is not enrolled for the user signing in.
Okta access denied by Administrator This alert refers to the Okta MFA RADIUS feature, configured here: Settings > INTEGRATION SERVICES > CLEAR OKTA SERVICE. This service allows you to use Portnox AgentP as a second factor when signing in to Okta. The alert occurs if AgentP is blocked by a Portnox Cloud administrator in the Cloud portal.
Okta access denied due to missing device policy This alert refers to the Okta MFA RADIUS feature, configured here: Settings > INTEGRATION SERVICES > CLEAR OKTA SERVICE. This service allows you to use Portnox AgentP as a second factor when signing in to Okta. The alert occurs if Portnox Cloud has no risk score for the AgentP device. This alert is very unlikely to occur. If it does, contact Portnox Support for a detailed investigation.
Okta access denied due to policy violation This alert refers to the Okta MFA RADIUS feature, configured here: Settings > INTEGRATION SERVICES > CLEAR OKTA SERVICE. This service allows you to use Portnox AgentP as a second factor when signing in to Okta. The alert occurs if the risk score of the AgentP device reaches the Block level.
Okta access not allowed by group settings This alert refers to the Okta MFA RADIUS feature, configured here: Settings > INTEGRATION SERVICES > CLEAR OKTA SERVICE. This service allows you to use Portnox AgentP as a second factor when signing in to Okta. This alert is very unlikely to occur. If it does, contact Portnox Support for a detailed investigation.
Okta authentication success This alert refers to the Okta MFA RADIUS feature, configured here: Settings > INTEGRATION SERVICES > CLEAR OKTA SERVICE. This service allows you to use Portnox AgentP as a second factor when signing in to Okta.. The alert occurs if authentication was successful.
Okta connection not allowed for the device This alert refers to the Okta MFA RADIUS feature, configured here: Settings > INTEGRATION SERVICES > CLEAR OKTA SERVICE. This service allows you to use Portnox AgentP as a second factor when signing in to Okta.. The alert occurs if you disable Okta access in the group settings (Okta access > Enable Okta access to devices in this group).
Okta Directory synchronization completed Portnox Cloud has completed its periodical synchronization with your Okta repository. This synchronization occurs periodically to ensure that Portnox Cloud has up-to-date authentication information from your directory. This alert is for information purposes only and requires no action.
Okta Directory synchronization failed Portnox Cloud attempted to carry out its periodical synchronization with your Okta repository but the attempt failed. Check if your Okta Workforce Identity configuration has changed.
Okta Directory synchronization timed out Portnox Cloud attempted to carry out its periodical synchronization with your Okta repository but the attempt failed. This is an intermittent fault due to network connectivity issues between Portnox and Okta.
OKTA RADIUS forbidden attempt to access with expired credentials This alert refers to the Okta MFA RADIUS feature, configured here: Settings > INTEGRATION SERVICES > CLEAR OKTA SERVICE. This service allows you to use Portnox AgentP as a second factor when signing in to Okta.. The shared secret in these settings has an internal expiration term of 3,650 days (10 years). This alert occurs when this expiration term is reached.
Operating system changed This is an obsolete alert. If it unexpectedly appears on your Alert screen, please contact Portnox support for further investigation.
Organization certificate about to expire One of the certificates added in the Settings > GENERAL SETTINGS > Trusted Root Certificates section is about to expire.
Organization subscription type was changed A Portnox representative has changed your organization’s subscription type. This alert is for information purposes only and requires no action.
Organization’s subscription is about to expire Your organization’s Portnox Cloud subscription period is about to expire. Your devices and users may be denied access once the subscription expires. Contact your Portnox representative as soon as possible about extending your subscription.
OS version changed AgentP running on your managed device has detected that the operating system of that managed device has a version different than the one previously identified. This usually occurs when operating systems are updated to newer versions. This alert is triggered only if the relevant options are enabled in the risk assessment policy.
OTP access attempt denied due to expired token This is an obsolete alert. If it unexpectedly appears on your Alert screen, please contact Portnox support for further investigation.
OTP access attempt denied due to login name differs from device account This is an obsolete alert. If it unexpectedly appears on your Alert screen, please contact Portnox support for further investigation.
OTP access attempt denied due to missing token This is an obsolete alert. If it unexpectedly appears on your Alert screen, please contact Portnox support for further investigation.
OTP access attempt denied due to wrong token This is an obsolete alert. If it unexpectedly appears on your Alert screen, please contact Portnox support for further investigation.
Portnox Conditional Access for Applications authentication failed An attempt to authenticate with an application using Portnox Conditional Access failed. The reason for this failure is specified in the description of the alert on the Alerts screen.
Portnox Conditional Access for Applications authentication failed because account blocked by admin An attempt to authenticate with an application using Portnox Conditional Access failed because the account of the user was manually blocked in Portnox Cloud by the administrator.
Portnox Conditional Access for Applications authentication failed because account not found An attempt to authenticate with an application using Portnox Conditional Access failed because the account of the user was not found in Portnox Cloud.
Portnox Conditional Access for Applications authentication failed because device blocked by admin An attempt to authenticate with an application using Portnox Conditional Access failed because the device used to authenticate was manually blocked in Portnox Cloud by the administrator.
Portnox Conditional Access for Applications authentication failed because device is not enrolled An attempt to authenticate with an application using Portnox Conditional Access failed because the device used to authenticate is not enrolled with AgentP.
Portnox Conditional Access for Applications authentication failed because device not found An attempt to authenticate with an application using Portnox Conditional Access failed because the account representing the device used to authenticate was not found in Portnox Cloud.
Portnox Conditional Access for Applications authentication failed because device provided wrong certificate An attempt to authenticate with an application using Portnox Conditional Access failed because the device used to authenticate provided the wrong certificate. The user should restart their browser and try again, selecting the correct certificate for their account.
Portnox Conditional Access for Applications authentication failed because of unauthorized access An attempt to authenticate with an application using Portnox Conditional Access failed because the device is associated with a different organization that does not have permission to access the application. The organization ID in the authorization URL of the external application differs from the organization ID in the AgentP certificate.
Portnox Conditional Access for Applications authentication failed due to exceeded license An attempt to authenticate with an application using Portnox Conditional Access failed because the number of devices using Conditional Access exceeds the limitations of your current license. Contact your Portnox sales representative to increase your limits.
Portnox Conditional Access for Applications authentication success The user has successfully authenticated with the specified application using Conditional Access for Applications, as noted in this alert. This alert is for information purposes only and requires no action.
Portnox Conditional Access for Applications has prevented this device from accessing an application due to the risk score reaching “Block” level An attempt to authenticate with an application using Portnox Conditional Access failed because the device used to authenticate is considered too risky to access the application on the basis on the risk assessment policy settings. The risk score has reached the level of the Block category. Check AgentP on the device and reduce the risk score as instructed.
Preventive action executed AgentP running on your managed device executed the required preventive actions on that device, as specified in the remediation policy. This alert is for information purposes only and requires no action.
Preventive action failed AgentP running on your managed device attempted to execute the required preventive actions on that device, as specified in the remediation policy, but these actions failed. Check the managed device for details.
Radius accounting request This is an internal alert for testing purposes only. If you see this alert in your tenant, please contact Portnox Support for a detailed investigation.
RADIUS failed to authenticate device against CLEAR services This alert typically appears for 802.1X connections and indicates that there was either an internal error in Portnox Cloud or an error in RADIUS authentication that is not covered by other alerts with more specific conditions. If you are unable to identify the cause, please contact Portnox Support for a detailed investigation.
RADIUS failed to authenticate device due to eap-tls error A device attempted certificate-based authentication (EAP-TLS) with the Portnox Cloud RADIUS server, but there was an error in communication or configuration. The error condition is specified in the alert, for example, the certificate could be missing or corrupted.
RADIUS failed to authenticate device due to unsupported authentication type A device attempted authentication with the Portnox Cloud RADIUS server, but the authentication type configured for the device is not supported by the RADIUS server. This commonly occurs when a supplicant device is configured to use MSCHAPv2 authentication, but the authentication repository is Entra ID, Google Workspace, or Okta Workforce Identity, which do not support MSCHAPv2.
RADIUS forbidden attempt to access with expired credentials The shared secret in the configuration of the Cloud RADIUS server has an internal expiration term of 3,650 days (10 years). This alert occurs when this term is reached.
RADIUS forbidden attempt to access with wrong SharedSecret for organization This alert typically occurs if the wrong shared secret has been configured for your Cloud RADIUS server on your VPN server. Review and verify your VPN server configuration.
SIEM integration was disabled This alert occurs when there are 20 consecutive failed attempts to connect to a SIEM server. Then, the integration is set to disabled, and no further attempts are made.
Successful radius authentication request This is an internal alert for testing purposes only. If you see this alert in your tenant, please contact Portnox Support for a detailed investigation.
Synchronization with Google Workspace failed Portnox Cloud has attempted its periodical synchronization with your Google Workspace authentication repository but the attempt failed. Check if your Google Workspace configuration has been changed recently.
Synchronization with Google Workspace successfully completed Portnox Cloud has completed its periodical synchronization with your Google Workspace authentication repository. This synchronization occurs periodically to ensure that Portnox Cloud has up-to-date authentication information from your directory. This alert is for information purposes only and requires no action.
TACACS+ access attempt denied due to sites restrictions. Command-based attribute was not detected This is an obsolete alert. If it unexpectedly appears on your Alert screen, please contact Portnox support for further investigation.
TACACS+ access attempt denied due to sites restrictions. Command-based rule was not detected This alert occurs only in case of internal errors in the Portnox Cloud database. If it occurs, contact Portnox Support for a detailed investigation.
TACACS+ access attempt denied due to sites restrictions. NAS was not detected A user attempted to send an authentication request to a NAS device using TACACS+; however, access was denied because the NAS device was not detected, most likely due to an internal error in Portnox Cloud. This alert is very unlikely to occur, but if it does, contact Portnox Support for a detailed investigation.
TACACS+ access attempt denied due to sites restrictions. Session attribute was not detected This alert occurs only in case of internal errors in the Portnox Cloud database. If it occurs, contact Portnox Support for a detailed investigation.
TACACS+ access attempt denied due to sites restrictions. Session rule was not detected This alert occurs only in case of internal errors in the Portnox Cloud database. If it occurs, contact Portnox Support for a detailed investigation.
TACACS+ access attempt denied due to wrong credentials A user attempted to send an authentication request to a NAS device using TACACS+; however, access was denied due to incorrect credentials.
TACACS+ access denied - account is not found A user attempted to send an authentication request to a NAS device using TACACS+; however, access was denied because Portnox Cloud does not have an account that matches the provided username. Check your authentication repository.
TACACS+ accounting This alert contains the details of the TACACS+ accounting Start or Stop event. This alert is for information purposes only and requires no action.
TACACS+ authentication attempt denied due to access has been blocked by Azure Conditional Access policies A user attempted to send an authentication request to a NAS device using TACACS+; however, the user was authenticated using Entra ID (formerly Azure Active Directory), and Azure Conditional Access policies for that user caused an access denial. Check your Entra ID / Azure Conditional Access configuration.
TACACS+ authentication attempt denied due to account ambiguities. A user attempted to send an authentication request to a NAS device using TACACS+; however, the credentials did not include a domain name, and multiple domains are configured in Portnox Cloud. As a result, Portnox Cloud was unable to determine which domain the user belongs to.
TACACS+ authentication attempt denied due to blocked by admin account A user attempted to send an authentication request to a NAS device using TACACS+; however, a Portnox Cloud administrator blocked the Cloud accout of that user on the Devices screen.
TACACS+ authentication attempt denied due to expired account A user attempted to send an authentication request to a NAS device using TACACS+; however, the request was denied because the account is a Cloud account that has an expiration date, and the account has expired.
TACACS+ authentication attempt denied due to license limitation A user attempted to send an authentication request to a NAS device using TACACS+; however, the number of administrators or the number of devices exceeds the limitations of your current license. Contact your Portnox sales representative to increase your limits.
TACACS+ authentication attempt denied due to MFA timeout The group that the user belongs to is configured to require multi-factor authentication (MFA) with TACACS+. The TACACS+ authentication attempt was denied because the MFA authentication failed due to a timeout.
TACACS+ authentication attempt denied due to MFA verification failure. Account is not onboarded A user attempted to send an authentication request to a NAS device using TACACS+; however, the group configuration in the TACACS+ access section specifies that MFA using AgentP is required. Although the user exists in your external repository, they are not onboarded in Portnox Cloud with AgentP.
TACACS+ authentication attempt denied due to MFA verification failure. Azure AD user must enroll in MFA to access The group that the user belongs to is configured to require multi-factor authentication (MFA) with TACACS+. The TACACS+ authentication attempt was denied because the user is not enrolled in MFA.
TACACS+ authentication attempt denied due to MFA verification failure. Azure AD user must perform MFA to access The group that the user belongs to is configured to require multi-factor authentication (MFA) with TACACS+. The TACACS+ authentication attempt was denied because the user is enrolled in MFA but they did not use it.
TACACS+ authentication attempt denied due to MFA verification failure. Azure AD user must refresh MFA to access The group that the user belongs to is configured to require multi-factor authentication (MFA) with TACACS+. The TACACS+ authentication attempt was denied because the user used an outdated MFA code.
TACACS+ authentication attempt denied due to MFA verification failure. There are no suitable devices to process A user attempted to send an authentication request to a NAS device using TACACS+; however, the group configuration in the TACACS+ access section specifies that TACACS+ authentication must be sent only to mobile devices, and the device is not recognized as a mobile device.
TACACS+ authentication attempt denied due to MFA verification interruption. Azure AD user must enroll in MFA to access The group that the user belongs to is configured to require multi-factor authentication (MFA) with TACACS+. The TACACS+ authentication attempt was denied because the user is not enrolled in MFA.
TACACS+ authentication attempt denied due to MFA verification interruption. Azure AD user must perform MFA to access The group that the user belongs to is configured to require multi-factor authentication (MFA) with TACACS+. The TACACS+ authentication attempt was denied because the user is enrolled in MFA but they did not use it.
TACACS+ authentication attempt denied due to missing TACACS+ policy mapping A user attempted to send an authentication request to a NAS device using TACACS+; however, no TACACS+ policy matches the group of the account and the accessed NAS device. For instance, the TACACS+ policy list for the group might be empty.
TACACS+ authentication attempt denied due to password reset requirements. A user attempted to send an authentication request to a NAS device using TACACS+; however, the user account requires their password to be reset before the account can be used. Reset your user password and try again.
TACACS+ authentication attempt denied due to rejected MFA The group that the user belongs to is configured to require multi-factor authentication (MFA) with TACACS+. The TACACS+ authentication attempt was denied because the MFA code was incorred and was rejected.
TACACS+ authentication attempt denied due to server error A user attempted to send an authentication request to a NAS device using TACACS+; however, a Portnox Cloud server error occurred. Error details are provided in the alert description. If these details are unclear, contact Portnox Support for a detailed investigation.
TACACS+ authentication success The user was successfully authenticated to the NAS device using TACACS+. This alert is for information purposes only and requires no action.
TACACS+ authorization attempt denied due to account ambiguities. A user attempted to send an authorization request to a NAS device using TACACS+; however, the same user exists in two different authentication repositories (most likely, a Cloud account and an external repository account). As a result, Portnox Cloud was unable to determine which domain the user belongs to.
TACACS+ authorization attempt denied due to blocked by admin account A user attempted to send an authorization request to a NAS device using TACACS+; however, a Portnox Cloud administrator blocked the Cloud accout of that user on the Devices screen.
TACACS+ authorization attempt denied due to expired account A user attempted to send an authorization request to a NAS device using TACACS+; however, the request was denied because the account is a Cloud account that has an expiration date, and the account has expired.
TACACS+ authorization attempt denied due to license limitation A user attempted to send an authorization request to a NAS device using TACACS+; however, the number of administrators or the number of devices exceeds the limitations of your current license. Contact your Portnox sales representative to increase your limits.
TACACS+ authorization attempt denied due to MFA timeout The group that the user belongs to is configured to require multi-factor authentication (MFA) with TACACS+. The TACACS+ authorization attempt was denied because the MFA authentication failed due to a timeout.
TACACS+ authorization attempt denied due to MFA verification failure. Account is not onboarded A user attempted to send an authorization request to a NAS device using TACACS+; however, the group configuration in the TACACS+ access section specifies that MFA using AgentP is required. Although the user exists in your external repository, they are not onboarded in Portnox Cloud with AgentP.
TACACS+ authorization attempt denied due to MFA verification failure. There are no suitable devices to process There is a mismatch between the user and the device, likely because the account used for TACACS+ access is different from the account that AgentP is enrolled with. As a result, multi-factor authentication (MFA) cannot process the authorization for the current device.
TACACS+ authorization attempt denied due to missing TACACS+ policy mapping A user attempted to send an authorization request to a NAS device using TACACS+; however, no TACACS+ policy matches the group of the account and the accessed NAS device. For instance, the TACACS+ policy list for the group might be empty.
TACACS+ authorization attempt denied due to rejected MFA The group that the user belongs to is configured to require multi-factor authentication (MFA) with TACACS+. The TACACS+ authorization attempt was denied because the MFA code was incorred and was rejected.
TACACS+ authorization attempt denied due to server error A user attempted to send an authorization request to a NAS device using TACACS+; however, a Portnox Cloud server error occurred. Error details are provided in the alert description. If these details are unclear, contact Portnox Support for a detailed investigation.
TACACS+ authorization success The user was successfully authorized to execute a command on the NAS device using TACACS+. This alert includes the NAS IP address, user details, the executed command, and its arguments. This alert is for information purposes only and requires no action.
TACACS+ command-based connection not allowed for the account A user attempted to send a request to a NAS device using TACACS+; however, the command they sent is not permitted by the TACACS+ policy that applies to this user.
TACACS+ service connection not allowed for the account A user attempted to send a request to a NAS device using TACACS+; however, the service they used is not permitted by the TACACS+ policy that applies to this user (it is not in the Allowed services list).
The evaluation period has expired Your Portnox Cloud evaluation period has expired. Contact your Portnox representative for information about purchasing options.
The Portnox Directory Broker done with synchronization The Portnox Active Directory broker has successfully completed its synchronization with your on-premises Active Directory or LDAP directory. This synchronization occurs periodically to ensure that Portnox Cloud has up-to-date authentication information from your directory. This alert is for information purposes only and requires no action.
The Portnox Directory Broker has wrong credentials The LDAP account credentials provided during the installation of the AD Broker, which are used to connect the AD Broker to your Active Directory, are incorrect. This alert does not apply to the credentials used to connect the AD Broker to the Portnox Cloud tenant.
The Portnox Directory Broker is active The specified Portnox Active Directory broker has been detected as active. This alert is for information purposes only and requires no action.
The Portnox Directory Broker is dormant The specified Portnox Active Directory broker was marked as dormant due to inactivity. To troubleshoot, check the machine where the broker is installed. For more information, see the following topic: How to troubleshoot problems with the AD Broker.
The Portnox Directory Broker is misconfigured This alert can occur if the Portnox AD Broker detects that the list of domain controllers or domain names is empty. This situation may arise due to a misconfiguration of the integration.
The Portnox Directory Broker is offline Portnox Cloud cannot communicate with the specified Portnox Active Directory broker. To troubleshoot connectivity issues, see the following topic: How to check if the AD Broker connects to the cloud.
Unable to create account. LDAP autoonboarding disabled An attempt to create an account was unsuccessful because the option to enroll devices automatically using LDAP and external repositories is disabled. You can change this setting by editing the group that the account belongs to.
Unable to detect NAS Portnox Cloud is unable to identify which NAS the request pertains to, based on the information in the RADIUS request, or an internal error has occurred. This alert is highly unlikely to happen. If it does, contact Portnox Support for a detailed investigation.
Unable to enroll a new device You cannot enroll a new device with AgentP because the number of devices already enrolled with AgentP exceeds the limit in your license. Contact your Portnox sales representative to increase your limits.
Unable to enroll a new device due to LDAP group enrollment settings An attempt was made to enroll a new device with AgentP in Portnox Cloud, but it was denied because the group that the device belongs to does not allow LDAP-based enrollment.
Unable to enroll a new device due to organization enroll settings An attempt was made to enroll a new device with AgentP in Portnox Cloud, but it was denied because the enrollment method used is not permitted by the settings for the organization. These settings are configured in the Settings > SERVICES > GENERAL SETTINGS > AgentP Enrollment Policy section.
Unable to enroll a new device due to organization subscription expiration Your organization’s Portnox Cloud subscription period expired, so it was not possible to enroll any more devices. Contact your Portnox representative as soon as possible about extending your subscription.
Unable to enroll a new device due to OS restriction An attempt to enroll a new device in Portnox Cloud was denied because the device’s operating system is not allowed by the group’s configuration settings.
Unattended enrollment: reached maximum number of devices A new device could not be enrolled for the specified account because the group associated with this account has reached the configured maximum allowed number of devices. Change the configuration of the group to enroll additional devices.
Unrecognized LDAP domain names detected This is an obsolete alert. If it unexpectedly appears on your Alert screen, please contact Portnox support for further investigation.
User repository group removal confirmation required This is an obsolete alert. If it unexpectedly appears on your Alert screen, please contact Portnox support for further investigation.
User repository synchronization is pending This is an obsolete alert. If it unexpectedly appears on your Alert screen, please contact Portnox support for further investigation.
VPN access attempt denied - AD account is expired A user attempted to connect to a VPN managed by Portnox Cloud, but the connection was denied because the account used for authentication is an Active Directory account, and the account has expired. Please check your Active Directory repository.
VPN access attempt denied - AD account is locked out A user attempted to connect to a VPN managed by Portnox Cloud, but the connection was denied because the account used for authentication is an Active Directory account, and the account is locked out in Active Directory. Please check your Active Directory repository.
VPN access attempt denied - AD account password is expired A user attempted to connect to a VPN managed by Portnox Cloud, but the connection was denied because the account used for authentication is an Active Directory account, and the password for this account has expired. Please check your Active Directory repository.
VPN access attempt denied due to access by not enrolled device A user attempted to connect to a VPN managed by Portnox Cloud, but the connection was denied because the device is not agentless, but it has not finished the AgentP enrollment process. This alert is very unlikely to occur.
VPN access attempt denied due to AgentP strong factor validation A user attempted to connect to a VPN managed by Portnox Cloud, but the connection was denied because the user was required to use AgentP for multi-factor authentication but chose not to comply.
VPN access attempt denied due to AgentP strong factor validation timeout A user attempted to connect to a VPN managed by Portnox Cloud, but the connection was denied because the user was required to use AgentP for multi-factor authentication but did not provide the second factor within the allotted time.
VPN access attempt denied due to forbidden authentication type A user attempted to connect to a VPN managed by Portnox Cloud, but the connection was denied because the authentication type used in the attempt is not allowed for the group (Groups > group_name > VPN Access > Allowed authentication types).
VPN access attempt denied due to forbidden primary factor type This is an obsolete alert. If it unexpectedly appears on your Alert screen, please contact Portnox support for further investigation.
VPN access attempt denied due to MFA verification failure A user attempted to connect to a VPN managed by Portnox Cloud, but the connection was denied because the account used for authentication requires multi-factor authentication (MFA), but the MFA process failed, such as when the user entered an incorrect MFA code.
VPN access attempt denied due to MFA verification failure. There are no suitable devices to process There is a mismatch between the user and the device, likely because the account used for VPN client access is different from the account that AgentP is enrolled with. As a result, multi-factor authentication (MFA) cannot process the access attempt for the current device.
VPN access attempt denied due to no managed devices found to validate risk score A user attempted to connect to a VPN managed by Portnox Cloud, but the connection was denied because you enabled the Validate Risk score for all managed devices option in the VPN Access section of the group configuration, and Portnox Cloud could not find any devices to validate the risk score against.
VPN access attempt denied due to sites restrictions violation A user attempted to connect to a VPN managed by Portnox Cloud, but the connection was denied because you enabled the Restrict access to network sites > Allow access only to the following network sites option in the VPN Access section of the group configuration, and the user attempted to connect to one of the sites that are not in the allowed list.
VPN access attempt denied due to sites restrictions. NAS was not detected A user attempted to connect to a VPN managed by Portnox Cloud, but the connection was denied because the NAS device was not detected, most likely due to an internal error in Portnox Cloud. This alert is very unlikely to occur, but if it does, contact Portnox Support for a detailed investigation.
VPN access attempt denied due to supplicant certificate invalid A user attempted to connect to a VPN managed by Portnox Cloud, but the connection was denied because the authentication was done using a certificate, and the supplicant’s certificate is invalid. Please check your certificate store in the operating system.
VPN access attempt denied due to supplicant certificate issuer untrusted A user attempted to connect to a VPN managed by Portnox Cloud, but the connection was denied because the authentication was done using a certificate, and the supplicant’s certificate issuer failed the trust validation. This can occur, for example, if the supplicant’s certificate was issued by a different root Certificate Authority (CA) than the one configured in Portnox Cloud. To resolve this, verify that your supplicant certificate is issued by the same root CA as the one configured in Cloud. For more information about certificates, refer to the following topic: Types of certificates.
VPN access attempt denied due to supplicant certificate untrusted A user attempted to connect to a VPN managed by Portnox Cloud, but the connection was denied because the authentication was done using a certificate, and the supplicant’s certificate failed the trust validation. This can happen if one of the certificates in the supplicant’s trust chain is not recognized. To resolve the issue, ensure that if you’re using your own Certificate Authority (CA) to generate certificates, all certificates in the chain (including intermediate ones) are added to the Cloud configuration. For more information on certificates, refer to the following topic: Types of certificates.
VPN access attempt denied due to unsupported authentication type A user attempted to connect to a VPN managed by Portnox Cloud, but the connection was denied because the client used an unsupported authentication type. This commonly occurs when a client is configured to use MSCHAPv2 authentication, but the authentication repository is Entra ID, Google Workspace, or Okta Workforce Identity, which do not support MSCHAPv2.
VPN access attempt denied due to wrong configuration This is an obsolete alert. If it unexpectedly appears on your Alert screen, please contact Portnox support for further investigation.
VPN access attempt denied due to wrong credentials A user attempted to connect to a VPN managed by Portnox Cloud, but the connection was denied because they entered incorrect credentials in their VPN client. Check your VPN configuration and make sure that this was not a malicious attempt.
VPN access denied - account is not found A user attempted to connect to a VPN managed by Portnox Cloud, but the connection was denied because Portnox Cloud does not have an account that matches the provided username. Check your authentication repository.
VPN access denied - device not found This is an obsolete alert. If it unexpectedly appears on your Alert screen, please contact Portnox support for further investigation.
VPN access denied - user name ambiguous A user attempted to connect to a VPN managed by Portnox Cloud, but the connection was denied because the user has more than one account. This typically happens when the same user has accounts in different authentication repositories and the username was provided without the domain name, which uniquely identifies the repository.
VPN access denied by Administrator A user attempted to connect to a VPN managed by Portnox Cloud, but the connection was denied because a Portnox Cloud administrator selected the device on the Devices screen and clicked the Block button.
VPN access denied due to missing device policy A user attempted to connect to a VPN managed by Portnox Cloud, but the connection was denied because Portnox Cloud has no risk score for the AgentP device. This alert is very unlikely to occur. If it does, contact Portnox Support for a detailed investigation.
VPN access denied due to policy violation A user attempted to connect to a VPN managed by Portnox Cloud, but the connection was denied because the device did not meet the requirements of the risk assessment policy. This alert provides details on the specific requirements the device must meet to gain VPN access.
VPN access not allowed by group settings A user attempted to connect to a VPN managed by Portnox Cloud, but the connection was denied because the user belongs to a group that is restricted from VPN access.
VPN authentication success The user has successfully connected to a VPN managed by Portnox Cloud. This alert is for information purposes only and requires no action.
VPN client application is not recognized The VPN client application used to access the VPN server was not recognized. Check if you’re using the correct VPN client and the correct client version for your server type and version.
VPN connection not allowed for the device A user attempted to connect to a VPN managed by Portnox Cloud, but the connection was denied because the device belongs to a group that is restricted from VPN access.
Welcome to the Portnox™ CLEAR Service This is the first alert in your Alerts list after creating the Portnox Cloud (formerly CLEAR) tenant.
Wi-Fi provisioning failed for device AgentP attempted to configure the Wi-Fi adapter on the device but was unsuccessful. Possible reasons include a Group Policy Object (GPO) blocking adapter configuration, incorrect Cloud group settings, missing app permissions, a missing passcode on the device, or other factors.