https://community.cisco.com/t5/network-access-control/adding-ips-modules-to-ips/m-p/2400877#M134354 <P>Have got ISE 1.2 running and have my firewalls authenticating against them and need to get my IPS modules authenticating as well but don't seem to be able to get them to.</P><P></P><P>My settings on teh IPS Device are as follows</P><P></P><P>Servier IP Address - {ISE Address}</P><P>Authentication Port - 1645</P><P>Timeout (seconds - 3</P><P>Shared Secret - {Shared Secret}</P><P></P><P>However ISE is rejecting the request </P><P></P><TABLE border="0" cellpadding="3" style="width: 500px;"><TBODY><TR><TD></TD><TD>11001</TD><TD>Received RADIUS Access-Request</TD></TR><TR><TD></TD><TD>11017</TD><TD>RADIUS created a new session</TD></TR><TR><TD></TD><TD>11015</TD><TD>An Access-Request MUST contain either a NAS-IP-Address or a NAS-Identifier or both; Continue processing</TD></TR><TR><TD></TD><TD>15049</TD><TD>Evaluating Policy Group</TD></TR><TR><TD></TD><TD>15008</TD><TD>Evaluating Service Selection Policy</TD></TR><TR><TD></TD><TD>15006</TD><TD>Matched Default Rule</TD></TR><TR><TD></TD><TD>15041</TD><TD>Evaluating Identity Policy</TD></TR><TR><TD></TD><TD>15006</TD><TD>Matched Default Rule</TD></TR><TR><TD></TD><TD>15013</TD><TD>Selected Identity Source - ActiveDirectory</TD></TR><TR><TD></TD><TD>24430</TD><TD>Authenticating user against Active Directory</TD></TR><TR><TD></TD><TD>24402</TD><TD>User authentication against Active Directory succeeded</TD></TR><TR><TD></TD><TD>22037</TD><TD>Authentication Passed</TD></TR><TR><TD></TD><TD>15036</TD><TD>Evaluating Authorization Policy</TD></TR><TR><TD></TD><TD>24432</TD><TD>Looking up user in Active Directory - $$-jregan</TD></TR><TR><TD></TD><TD>24416</TD><TD>User's Groups retrieval from Active Directory succeeded</TD></TR><TR><TD></TD><TD>24420</TD><TD>User's Attributes retrieval from Active Directory succeeded</TD></TR><TR><TD></TD><TD>15048</TD><TD>Queried PIP</TD></TR><TR><TD></TD><TD>15048</TD><TD>Queried PIP</TD></TR><TR><TD></TD><TD>15004</TD><TD>Matched rule - Default</TD></TR><TR><TD></TD><TD>15016</TD><TD>Selected Authorization Profile - DenyAccess</TD></TR><TR><TD></TD><TD>15039</TD><TD>Rejected per authorization profile</TD></TR><TR><TD></TD><TD>11003</TD><TD>Returned RADIUS Access-Reject</TD></TR></TBODY></TABLE><P></P><P>Do I need to set a new condition based on some specific piece of information for ISE to recognise this devices request?</P><P></P><P>Any advice would be greatly appreciated.</P><P></P><P>Many thanks in advance</P><P>Jason</P> Mon, 11 Mar 2019 04:03:23 GMT Jason Regan 2019-03-11T04:03:23Z https://community.cisco.com/t5/network-access-control/adding-ips-modules-to-ips/m-p/2400877#M134354 <P>Have got ISE 1.2 running and have my firewalls authenticating against them and need to get my IPS modules authenticating as well but don't seem to be able to get them to.</P><P></P><P>My settings on teh IPS Device are as follows</P><P></P><P>Servier IP Address - {ISE Address}</P><P>Authentication Port - 1645</P><P>Timeout (seconds - 3</P><P>Shared Secret - {Shared Secret}</P><P></P><P>However ISE is rejecting the request </P><P></P><TABLE border="0" cellpadding="3" style="width: 500px;"><TBODY><TR><TD></TD><TD>11001</TD><TD>Received RADIUS Access-Request</TD></TR><TR><TD></TD><TD>11017</TD><TD>RADIUS created a new session</TD></TR><TR><TD></TD><TD>11015</TD><TD>An Access-Request MUST contain either a NAS-IP-Address or a NAS-Identifier or both; Continue processing</TD></TR><TR><TD></TD><TD>15049</TD><TD>Evaluating Policy Group</TD></TR><TR><TD></TD><TD>15008</TD><TD>Evaluating Service Selection Policy</TD></TR><TR><TD></TD><TD>15006</TD><TD>Matched Default Rule</TD></TR><TR><TD></TD><TD>15041</TD><TD>Evaluating Identity Policy</TD></TR><TR><TD></TD><TD>15006</TD><TD>Matched Default Rule</TD></TR><TR><TD></TD><TD>15013</TD><TD>Selected Identity Source - ActiveDirectory</TD></TR><TR><TD></TD><TD>24430</TD><TD>Authenticating user against Active Directory</TD></TR><TR><TD></TD><TD>24402</TD><TD>User authentication against Active Directory succeeded</TD></TR><TR><TD></TD><TD>22037</TD><TD>Authentication Passed</TD></TR><TR><TD></TD><TD>15036</TD><TD>Evaluating Authorization Policy</TD></TR><TR><TD></TD><TD>24432</TD><TD>Looking up user in Active Directory - $$-jregan</TD></TR><TR><TD></TD><TD>24416</TD><TD>User's Groups retrieval from Active Directory succeeded</TD></TR><TR><TD></TD><TD>24420</TD><TD>User's Attributes retrieval from Active Directory succeeded</TD></TR><TR><TD></TD><TD>15048</TD><TD>Queried PIP</TD></TR><TR><TD></TD><TD>15048</TD><TD>Queried PIP</TD></TR><TR><TD></TD><TD>15004</TD><TD>Matched rule - Default</TD></TR><TR><TD></TD><TD>15016</TD><TD>Selected Authorization Profile - DenyAccess</TD></TR><TR><TD></TD><TD>15039</TD><TD>Rejected per authorization profile</TD></TR><TR><TD></TD><TD>11003</TD><TD>Returned RADIUS Access-Reject</TD></TR></TBODY></TABLE><P></P><P>Do I need to set a new condition based on some specific piece of information for ISE to recognise this devices request?</P><P></P><P>Any advice would be greatly appreciated.</P><P></P><P>Many thanks in advance</P><P>Jason</P> Mon, 11 Mar 2019 04:03:23 GMT https://community.cisco.com/t5/network-access-control/adding-ips-modules-to-ips/m-p/2400877#M134354 Jason Regan 2019-03-11T04:03:23Z https://community.cisco.com/t5/network-access-control/adding-ips-modules-to-ips/m-p/2400878#M134407 <HTML><HEAD></HEAD><BODY><P>Jason, </P><P></P><P>Looks like you're landing on default authorization policy (DenyAccess).</P><P></P><P>Add an authorization policy what would match the network device/AAA client of your IPS, make sure it's on top.Take if from there. </P><P></P><P>Also 1645 - old port, ISE should be listenning to old and new, but 1812 is what you would typically see for any other device config. </P><P></P><P>M.</P></BODY></HTML> Fri, 01 Nov 2013 12:30:12 GMT https://community.cisco.com/t5/network-access-control/adding-ips-modules-to-ips/m-p/2400878#M134407 Marcin Latosiewicz 2013-11-01T12:30:12Z https://community.cisco.com/t5/network-access-control/adding-ips-modules-to-ips/m-p/2400879#M134473 <HTML><HEAD></HEAD><BODY><P>Can you post a screenshot of your authorization policies, along with IPS settings in ISE<BR /><BR /><BR />Sent from Cisco Technical Support Android App</P></BODY></HTML> Fri, 01 Nov 2013 14:34:38 GMT https://community.cisco.com/t5/network-access-control/adding-ips-modules-to-ips/m-p/2400879#M134473 Tarik Admani 2013-11-01T14:34:38Z https://community.cisco.com/t5/network-access-control/adding-ips-modules-to-ips/m-p/2400880#M134497 <HTML><HEAD></HEAD><BODY><P> Hi Tarik,</P><P></P><P>Here is the condition used in my Authorisation Policy for allowing access to the IPS module</P><P></P><P>ActiveDirectory:ExternalGroups EQUALS {AD Group of which I am a member} </P><P>AND</P><P>Network Access:AuthenticationMethod EQUALS PAP_ASCII </P><P>AND</P><P>Radius:NAS-IP-Address EQUALS {IP Address of the module}</P><P></P><P>I'm not sure what you mean by "IPS settings in ISE", all I have done is add a device using the IP address and shared secret</P><P></P><P>Thanks</P><P>Jason</P></BODY></HTML> Mon, 04 Nov 2013 13:29:30 GMT https://community.cisco.com/t5/network-access-control/adding-ips-modules-to-ips/m-p/2400880#M134497 Jason Regan 2013-11-04T13:29:30Z