https://community.cisco.com/t5/network-access-control/denyaccess-identity-store-on-ise/m-p/3082209#M25797 <P>You can choose a new identity store for the Authentication policy you are hitting. All ID stores should show up as options to choose in a dropdown See picture attached.&nbsp;</P> Wed, 12 Jul 2017 15:28:29 GMT Rahul Govindan 2017-07-12T15:28:29Z https://community.cisco.com/t5/network-access-control/denyaccess-identity-store-on-ise/m-p/3082208#M25796 <P>Hi,</P> <P>I've Cisco ISE 2.2.0.470 patch 1.</P> <P>Every time that a user tries to access the network via MAB Authentication, authentication fails.</P> <P>Failure reason is "22017 Selected Identity Source is DenyAccess".</P> <P>The resolution is Select a different identity source.</P> <P>The identity store is in fact DenyAccess while previously the identity store of my users was Guest_Users.</P> <P></P> <P>How could I select a different identity store?</P> <P>How could I change DenyAccess identity store?</P> <P></P> <P>Is it possible?</P> <P></P> <P>Thanks</P> <P>Antonio</P> <P></P> Mon, 11 Mar 2019 07:50:56 GMT https://community.cisco.com/t5/network-access-control/denyaccess-identity-store-on-ise/m-p/3082208#M25796 antonio.dinapoli 2019-03-11T07:50:56Z https://community.cisco.com/t5/network-access-control/denyaccess-identity-store-on-ise/m-p/3082209#M25797 <P>You can choose a new identity store for the Authentication policy you are hitting. All ID stores should show up as options to choose in a dropdown See picture attached.&nbsp;</P> Wed, 12 Jul 2017 15:28:29 GMT https://community.cisco.com/t5/network-access-control/denyaccess-identity-store-on-ise/m-p/3082209#M25797 Rahul Govindan 2017-07-12T15:28:29Z https://community.cisco.com/t5/network-access-control/denyaccess-identity-store-on-ise/m-p/3082210#M25798 <P>Hi,</P> <P>thanks for your reply.</P> <P>It doesn't work or maybe I've configured the authentication policy in a wrong manner.</P> <P>Actual authentication policies are shown in the picture attached.</P> <P>Yesterday there wasn't the MAB_SG_copy1.</P> <P>Yesterday users hit the MAB_SG policy and it was right in my scenario.</P> <P>The error messages were:</P> <P>Failure reason is "22017 Selected Identity Source is DenyAccess".</P> <P>The resolution is Select a different identity source.</P> <P></P> <P>After your reply&nbsp;I've configured also the MAB_SG_copy1 policy.</P> <P>This policy is&nbsp;very similar to&nbsp;the MAB_SG policy with the&nbsp;difference of Identity Store that is DenyAccess store instead of All_user_ID_store.</P> <P>I use&nbsp;DenyAccess identity store to try to permit access to "Denyaccess" users.</P> <P><SPAN>Identity Source Details are the same for both the policies.</SPAN></P> <P>Now users hit that policy but the failure messages are the same of the MAB_SG policy.</P> <P></P> <P>Is this configuration correct? Did you mean this type of configuration?</P> <P></P> <P>The strange fact is that MAB_SG policy worked well for some days and suddenly, after I've reloaded my ISE, it began to deny access to my users.</P> <P>I've reloaded my ISE because I've upgraded&nbsp;cpu and ram (not disk).</P> <P>I don't know if the resource upgrade could have influenced the authentication behaviour.</P> <P></P> <P>Thanks</P> <P>Antonio</P> Thu, 13 Jul 2017 13:31:44 GMT https://community.cisco.com/t5/network-access-control/denyaccess-identity-store-on-ise/m-p/3082210#M25798 antonio.dinapoli 2017-07-13T13:31:44Z