When EAP authentication is used, the following measurements are recorded on the IPSec, NAS Node, and AAA Server Node report tabs.
The following measurements record the number and types of general EAP messages exchanged full and fast authentication processes. Measurements for the specific authentication method selected are explained in the sections below.
EAP Identity Request Count — The number of Identity requests received by the MNs.
EAP Identity Response Count — The number of Identity responses sent by the MNs.
EAP Success Count — The number of Success messages received by the MNs, indicating that authentication succeeded.
EAP Failure Count — The number of Failure messages received by the MNs, indicating that authentication failed.
EAP Notification Count — The number of Notification messages received by the MNs.
EAP NAK Response Count — The number of NAK responses sent by the MNs, indicating that a legacy authentication method that is not supported by the MNs was requested.
EAP Expanded NAK Response Count — The number off Expanded NAK responses sent by the MNs, indicating that a vendor-specific authentication method that is not supported by the MNs was requested.
EAP Unknown Method Type Count — The number of times a non-supported authentication method was requested.
EAP Timeout Count — The number of times an Identity Response was sent without receiving a follow-on request. If Retries is defined, the response will be re-transmitted.
The following measurements report on the results of EAP session attempts:
EAP Setup Count — The number of times an Identity Response was sent before EAP session was setup.
EAP Maximum Setup Time — The maximum time, in microseconds, required to establish a EAP session.
EAP Minimum Setup Time — The minimum time, in microseconds, required to establish a EAP session.
EAP Average Setup Time — The average time, in microseconds, required to establish a EAP session.
The following measurements record MD5 authentication processing.
MD5 Challenge Request Count — The number of MD5 Challenge requests received by the MNs.
MD5 Challenge Response Count — The number of MD5 Challenge responses sent by the MNs.
MD5 Authentication Failure Count — The number of times authentication failed.
MD5 Timeout Count — The number of times a challenge response was sent without receiving either a Success or Failure message. If Retries is defined, the response will be re-transmitted.
MD5 Malformed Message Count — The number of times a message was received that could not be parsed.
The following measurements record EAP-SIM authentication processing.
SIM Start Request Count — The number of SIM/Start requests received by the MNs.
SIM Start Response Count — The number of SIM/Start responses sent by the MNs.
SIM Challenge Request Count — The number of SIM/Challenge requests received by the MNs.
SIM Challenge Response Count — The number of SIM/Challenge responses sent by the MNs.
SIM Fast Re-authentication Request Count — The number of SIM/Re-authentication requests received by the MNs.
SIM Fast Re-authentication Response Count — The number of SIM/Re-authentication responses sent by the MNs.
SIM Client Error Response Count — The number of Client Error responses sent by the MNs, indicating that it could not accept or could not validate the request received due to a malformed request or invalid values in the request. When a server receives a Client Error, it returns an EAP Failure message authentication is terminated.
SIM Notification Request Count — The number of SIM Notifications received by the MNs. A SIM Notification may be informational or it may indicate the specific cause for an authentication failure or an error encountered after authentication succeeded. If a failure or error was encountered, the server will follow up with an EAP Failure message after receiving a notification response.
SIM Notification Response Count — The number of SIM Notifications sent by the MNs in reply to notifications received.
SIM Authentication Success Count — The number of times authentication succeeded.
SIM Authentication Failure Count — The number of times authentication failed.
SIM Malformed Message Count — The number of times a message was received that could not be parsed.
SIM Timeout Count — The number of times a response was sent without receiving an expected follow-on request. If Retries is defined, the response will be re-transmitted.
The following measurements record EAP-AKA authentication processing.
AKA Identity Request Count — The number of AKA Identity requests received by the MNs. A server may send an AKA Identity request rather than an EAP Identity request in order to inform the MN which type of identity it should return in an AKA Identity response.
AKA Identity Count — The number of AKA Identity responses sent by the MNs.
AKA Challenge Request Count — The number of AKA Challenge requests received by the MNs.
AKA Challenge Response Count — The number of AKA Challenge responses sent by the MNs.
AKA Fast Re-authentication Request Count — The number of AKA Re-authentication requests received by the MNs.
AKA Fast Re-authentication Response Count — The number of AKA Re-authentication responses sent by the MNs.
AKA Client Error Response Count — The number of Client Error responses sent by the MNs, indicating that it could not accept or could not validate the request received due to a malformed request or invalid values in the request. When a server receives a Client Error, it returns an EAP Failure message and authentication is terminated.
AKA Notification Request Count — The number of AKA Notifications received by the MNs. An AKA Notification may be informational or it may indicate the specific cause for an authentication failure or an error encountered after authentication succeeded. If a failure or error was encountered, the server will follow up with an EAP Failure message after receiving a notification response.
AKA Notification Response Count — The number of AKA Notifications sent by the MNs in reply to notifications received.
AKA Authentication Success Count — The number of times authentication succeeded.
AKA Authentication Failure Count — The number of times authentication failed.
AKA Malformed Message Count — The number of times a message was received that could not be parsed.
AKA AUTN Authentication Failure Count — The number of times authentication failed due to an invalid authentication token.
AKA Authentication Reject Count — The number of times AKA Authentication Reject messages were sent by the MNs due to an invalid authentication token received. The server responds with an EAP Failure message and authentication is terminated.
AKA Timeout Count — The number of times a response was sent without receiving an expected follow-on request. If Retries is defined, the response will be re-transmitted.
AKA' Challenge Request Count — The number of AKA Challenge requests received by the MNs.
AKA' Challenge Response Count — The number of AKA Challenge responses sent by the MNs.
AKA' Fast Re-authentication Request Count — The number of AKA Re-authentication requests received by the MNs.
AKA' Fast Re-authentication Response Count — The number of AKA Re-authentication responses sent by the MNs.
AKA' SyncFailure Response Count —
AKA' Client Error Response Count — The number of Client Error responses sent by the MNs, indicating that it could not accept or could not validate the request received due to a malformed request or invalid values in the request. When a server receives a Client Error, it returns an EAP Failure message and authentication is terminated.
AKA' Notification Request Count — The number of AKA Notifications received by the MNs. An AKA Notification may be informational or it may indicate the specific cause for an authentication failure or an error encountered after authentication succeeded. If a failure or error was encountered, the server will follow up with an EAP Failure message after receiving a notification response.
AKA' Notification Response Count — The number of AKA Notifications sent by the MNs in reply to notifications received.
AKA' Success Count — The number of times authentication succeeded.
AKA' Failure Count — The number of times authentication failed.
AKA' Authentication Success Count — The number of times authentication succeeded.
AKA' Authentication Failure Count — The number of times authentication failed.
AKA' Malformed Message Count — The number of times a message was received that could not be parsed.
AKA' AUTN Authentication Failure Count — The number of times authentication failed due to an invalid authentication token.
AKA' Authentication Reject Count — The number of times AKA Authentication Reject messages were sent by the MNs due to an invalid authentication token received. The server responds with an EAP Failure message and authentication is terminated.
AKA' Timeout Count — The number of times a response was sent without receiving an expected follow-on request. If Retries is defined, the response will be re-transmitted.
The following measurements record EAP-MSCHAPv2 authentication processing.
MS CHAPV2 Challenge Request Count — The number of MSCHAPv2/Challenge requests received by the MNs.
MS CHAPV2 Challenge Response Count — The number of MSCHAPv2/Challenge responses sent by the MNs.
MS CHAPV2 Success Count — The number of times authentication succeeded.
MS CHAPV2 Failure Count — The number of times authentication failed.
MS CHAPV2 Change Password Count — The number of Change-Password packets sent by the MNs.
MS CHAPV2 Timeout Count — The number of times a response was sent without receiving an expected follow-on request. If Retries is defined, the response will be re-transmitted.
EAP GTC Request Count — The number of GTC Challenge requests received by the MNs.
EAP GTC Response Count — The number of GTC Notifications sent by the MNs in reply to notifications received.
EAP GTC Timeout Count — The number of times a message was sent without receiving the expensed response. If Retries is defined, the response will be re-transmitted.
EAP GTC Malformed Message Count — The number of times a message was received that could not be parsed.
The following measurements record EAP-TLS authentication processing.
TLS Start Count — The number of times EAP-TLS authentication was attempted.
TLS Packet Count — The number of packets sent during authentication. Multiple TLS messages can be contained in one packet. Typically, three packets are required for one authentication.
TLS Success Count — The number of times authentication succeeded.
TLS Malformed Message Count — The number of times a message was received that could not be parsed.
TLS Timeout Count — The number of times a message was sent without receiving the expensed response. If Retries is defined, the response will be re-transmitted.
The following measurements record EAP-TLS messages sent and received by content type.
TLS Change Cipher Sent Count — The number of Change Cipher Spec protocol messages sent.
TLS Change Cipher Received Count — The number of Change Cipher Spec messages received.
TLS Alerts Sent Count — The number of Alert messages sent. Alert messages include Closure Alerts and Error Alerts.
TLS Alerts Received Count — The number of Alert messages received.
TLS Handshakes Sent Count — The number of Handshake messages sent. Handshake messages include Client Hello, Server Hello, Certificate, Server Key Exchange, Certificate Request, Certificate Verify, Client Key Exchange, and Finished messages.
TLS Handshakes Received Count — The number of Handshake messages received.
TLS Application Data Sent Count — The number of Application Data messages sent. Application Data messages transport higher level protocol payloads.
TLS Application Data Received Count — The number of Application Data messages received.
The following measurements record EAP-TLS messages sent and received by message type.
TLS Hello Requests Sent Count
TLS Hello Requests Received Count
TLS Client Hellos Sent Count
TLS Client Hellos Received Count
TLS Server Hellos Sent Count
TLS Server Hellos Received Count
TLS Certificates Sent Count
TLS Certificates Received Count
TLS Server Key Exchanges Sent Count
TLS Server Key Exchanges Received Count
TLS Certificate Requests Sent Count
TLS Certificate Requests Received Count
TLS Server Hello Done Sent Count
TLS Server Hello Done Received Count
TLS Certificate Verifies Sent Count
TLS Certificate Verifies Received Count
TLS Client Key Exchanges Sent Count
TLS Client Key Exchanges Received Count
TLS Finished Sent Count
TLS Finished Received Count
The following measurements record the number of TLS errors by cause.
TLS Alert Description- Close Notify Count — Notifies the recipient that the sender will not send any further messages on the current connection.
TLS Alert Description- Unexpected Msg Count — A fatal error indicating that an inappropriate message was received by the sender.
TLS Alert Description- Bad Record Mac Count — A fatal error indicating that the sender received a packet with an incorrect MAC.
TLS Alert Description- Decryption Failed Count — A fatal error indicating that a TLSCiphertext decrypted in a invalid way. It either wasn't an even multiple of the block length or its padding values were not correct.
TLS Alert Description- Record Overflow Count — A fatal error indicating that a TLSCiphertext record exceeded the maximum length or exceeded the maximum length when decrypted.
TLS Alert Description- Decompression Failure Count — A fatal error indicating that the decompression function received invalid input; possibly data that would expand to an excessive length.
TLS Alert Description- Handshake Failure Count — A fatal error indicating that the sender was unable to negotiate an acceptable set of security parameters given the options available.
TLS Alert Description- Bad Certificate Count — The certificate received was corrupt or otherwise invalid.
TLS Alert Description- Unsupported Cert Count — A certificate of a type not supported was received.
TLS Alert Description- Certificate Revoked Count — The certificate received was revoked by its signer.
TLS Alert Description- Certificate Expired Count — The certificate received has expired or is not currently valid.
TLS Alert Description- Certificate Unknown Count — An unspecified issue was encountered while processing the certificate, rendering it unacceptable.
TLS Alert Description- Illegal Parameter Count — A fatal error indicating that a field in the handshake was out of range or inconsistent with other fields.
TLS Alert Description- Unknown CA Count — A fatal error indicating that a certificate was rejected because the CA certificate could not be located or could not be associated with a trusted CA.
TLS Alert Description- Access Denied Count — A fatal error indicating that a valid certificate was received but due to access control policies, the sender decided not to proceed with negotiation.
TLS Alert Description- Decode Error Count — A fatal error indicating that a field was out of the specified range or the message length was incorrect.
TLS Alert Description- Decrypt Error Count — A handshake decryption operation failed, including signature validation, key exchange decryption, or Finished message validation.
TLS Alert Description- Export Restriction Count — A fatal error indicating that a negotiation not in compliance with export restrictions was detected.
TLS Alert Description- Protocol Version Count — A fatal error indicating that the client attempted to negotiate a recognized, but not supported, protocol version.
TLS Alert Description- Insufficient Security Count — A fatal error indicating that the handshake failed because the client proposed a cipher suite that did not meet the server's security standards.
TLS Alert Description- Internal Error Count — A fatal error indicating that an internal error prevents the server from continuing.
TLS Alert Description- User Cancelled Count — A warning indicating that the handshake is being canceled for a reason not related to a protocol failure.
TLS Alert Description- No Re-negotiation Count — A warning sent in response to a hello message received after the initial handshake is complete if the recipient determined that re-negotiation would not be appropriate.
TLS Unknown Alert Count — A fatal error indicating that an alert with an unknown description was received.
TLS Decryption Failure Count — A fatal error indicating that decryption failed due to a mismatch between keys.
The following measurements record EAP-FAST authentication processing.
EAP-FAST Payload TLVs Sent
EAP-FAST Payload TLVs Received
EAP-FAST PAC TLVs Sent
EAP-FAST PAC TLVs Received
EAP-FAST Crypto-Binding TLVs Sent
EAP-FAST Crypto-Binding TLVs Received
EAP-FAST Intermediate Result TLVs Sent
EAP-FAST Intermediate Result TLVs Received
EAP-FAST Result TLVs Sent
EAP-FAST Result TLVs Received
EAP-FAST PAC Key TLVs Sent
EAP-FAST PAC Key TLVs Received
EAP-FAST PAC Opaque TLVs Sent
EAP-FAST PAC Opaque TLVs Received
EAP-FAST PAC Info TLVs Sent
EAP-FAST PAC Info TLVs Received
EAP-FAST PAC Ack TLVs Sent
EAP-FAST PAC Ack TLVs Received