diff --git a/openbsc/include/openbsc/auth.h b/openbsc/include/openbsc/auth.h
index 0e5cad630..2364fb3d2 100644
--- a/openbsc/include/openbsc/auth.h
+++ b/openbsc/include/openbsc/auth.h
@@ -4,6 +4,13 @@
 struct gsm_auth_tuple;
 struct gsm_subscriber;
 
+enum auth_action {
+	AUTH_NOT_AVAIL		= 0,	/* No auth tuple available */
+	AUTH_DO_AUTH_THAN_CIPH	= 1,	/* Firsth authenticate, then cipher */
+	AUTH_DO_CIPH		= 2,	/* Only ciphering */
+	AUTH_DO_AUTH		= 3,	/* Only authentication, no ciphering */
+};
+
 int auth_get_tuple_for_subscr(struct gsm_auth_tuple *atuple,
                               struct gsm_subscriber *subscr, int key_seq);
 
diff --git a/openbsc/src/auth.c b/openbsc/src/auth.c
index ee1e291c4..b00c865fb 100644
--- a/openbsc/src/auth.c
+++ b/openbsc/src/auth.c
@@ -23,6 +23,7 @@
 
 #include <openbsc/db.h>
 #include <openbsc/debug.h>
+#include <openbsc/auth.h>
 #include <openbsc/gsm_data.h>
 
 #include <osmocore/comp128.h>
@@ -81,7 +82,7 @@ int auth_get_tuple_for_subscr(struct gsm_auth_tuple *atuple,
 	rc = db_get_authinfo_for_subscr(&ainfo, subscr);
 	if (rc < 0) {
 		DEBUGP(DMM, "No retrievable Ki for subscriber, skipping auth");
-		return rc == -ENOENT ? 0 : -1;
+		return rc == -ENOENT ? AUTH_NOT_AVAIL : -1;
 	}
 
 	/* If possible, re-use the last tuple and skip auth */
@@ -92,7 +93,7 @@ int auth_get_tuple_for_subscr(struct gsm_auth_tuple *atuple,
 	{
 		atuple->use_count++;
 		db_sync_lastauthtuple_for_subscr(atuple, subscr);
-		return 2;
+		return AUTH_DO_CIPH;
 	}
 
 	/* Generate a new one */
@@ -123,6 +124,6 @@ int auth_get_tuple_for_subscr(struct gsm_auth_tuple *atuple,
 
         db_sync_lastauthtuple_for_subscr(atuple, subscr);
 
-	return 1;
+	return AUTH_DO_AUTH_THAN_CIPH;
 }
 
diff --git a/openbsc/src/gsm_04_08.c b/openbsc/src/gsm_04_08.c
index c3bf64f21..02854b6fd 100644
--- a/openbsc/src/gsm_04_08.c
+++ b/openbsc/src/gsm_04_08.c
@@ -191,10 +191,10 @@ int gsm48_secure_channel(struct gsm_subscriber_connection *conn, int key_seq,
 		/* FIXME: Should start a timer for completion ... */
 
 	/* Then do whatever is needed ... */
-	if (rc == 1) {
+	if (rc == AUTH_DO_AUTH_THAN_CIPH) {
 		/* Start authentication */
 		return gsm48_tx_mm_auth_req(conn, op->atuple.rand, op->atuple.key_seq);
-	} else if (rc == 2) {
+	} else if (rc == AUTH_DO_CIPH) {
 		/* Start ciphering directly */
 		return gsm0808_cipher_mode(conn, net->a5_encryption,
 		                           op->atuple.kc, 8, 0);