Authentication failed - Rejected per authorization profile

Ali — Fri, 21 Feb 2020 18:45:59 GMT

Dear Community,

11001 Received RADIUS Access-Request
11017 RADIUS created a new session
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP - Airespace.Airespace-Wlan-Id
15048 Queried PIP - Radius.NAS-IP-Address
15048 Queried PIP - Normalised Radius.RadiusFlowType
15004 Matched rule - 802_1_X
11507 Extracted EAP-Response/Identity
12300 Prepared EAP-Request proposing PEAP with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12101 Extracted EAP-Response/NAK requesting to use EAP-FAST instead
12100 Prepared EAP-Request proposing EAP-FAST with challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12102 Extracted EAP-Response containing EAP-FAST challenge-response and accepting EAP-FAST as negotiated
12800 Extracted first TLS record; TLS handshake started
12805 Extracted TLS ClientHello message
12806 Prepared TLS ServerHello message
12807 Prepared TLS Certificate message
12808 Prepared TLS ServerKeyExchange message
12810 Prepared TLS ServerDone message
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12812 Extracted TLS ClientKeyExchange message
12813 Extracted TLS CertificateVerify message
12804 Extracted TLS Finished message
12801 Prepared TLS ChangeCipherSpec message
12802 Prepared TLS Finished message
12816 TLS handshake succeeded
12149 EAP-FAST built authenticated tunnel for purpose of PAC provisioning
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12209 Starting EAP chaining
12218 Selected identity type 'User'
12125 EAP-FAST inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12212 Identity type provided by client is equal to requested
11522 Extracted EAP-Response/Identity for inner EAP method
11806 Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
11808 Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
15041 Evaluating Identity Policy
15006 Matched Default Rule
22072 Selected identity source sequence - ABC_Emp_SSID
15013 Selected Identity Source - ABC-AD
24430 Authenticating user against Active Directory - ABC-AD
24325 Resolving identity - BOB
24313 Search for matching accounts at join point - corp.ABC.com
24319 Single matching account found in forest - corp.ABC.com
24367 Skipping unusable domain - ABC.com,Domain trust is one-way
24323 Identity resolution detected single matching account
24343 RPC Logon request succeeded - BOB@corp.ABC.com
24402 User authentication against Active Directory succeeded - ABC-AD
22037 Authentication Passed
11824 EAP-MSCHAP authentication attempt passed
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
11810 Extracted EAP-Response for inner method containing MSCHAP challenge-response
11814 Inner EAP-MSCHAP authentication succeeded
11519 Prepared EAP-Success for inner EAP method
12128 EAP-FAST inner method finished successfully
12966 Sent EAP Intermediate Result TLV indicating success
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12126 EAP-FAST cryptobinding verification passed
12200 Approved EAP-FAST client Tunnel PAC request
12219 Selected identity type 'Machine'
12125 EAP-FAST inner method started
11521 Prepared EAP-Request/Identity for inner EAP method
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12213 Identity type provided by client is not equal to requested type
12216 Identity type provided by client was already used for authentication
12967 Sent EAP Intermediate Result TLV indicating failure
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
24433 Looking up machine in Active Directory - ABC-AD
24325 Resolving identity - GHM120056$@corp.ABC.com
24313 Search for matching accounts at join point - corp.ABC.com
24318 No matching account found in forest - corp.ABC.com
24315 Single matching account found in domain - corp.ABC.com
24323 Identity resolution detected single matching account
24439 Machine Attributes retrieval from Active Directory succeeded - ABC-AD
24422 ISE has confirmed previous successful machine authentication for user in Active Directory
15036 Evaluating Authorization Policy
15048 Queried PIP - Session.PostureStatus
15004 Matched rule - Default
15016 Selected Authorization Profile - DenyAccess
15039 Rejected per authorization profile
12855 PAC was not sent due to authorization failure
12965 Sent EAP Result TLV indicating failure
12105 Prepared EAP-Request with another EAP-FAST challenge
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12104 Extracted EAP-Response containing EAP-FAST challenge-response
12109 EAP-FAST provisioning phase finished
11504 Prepared EAP-Failure
11003 Returned RADIUS Access-Reject

Above is the result output

User Laptop authentication getting failed when trying to access through wifi, same user can access through wired connection(Wired and Wifi both Authentication is from AD)

I am suspecting this might be the problem 15048 Queried PIP - Session.PostureStatus
15004 Matched rule - Default

But in Eap Chaining Result its showing the result as - User succeeded and machine failed

What might be the solution or I am missing something in policy.

Re: Authentication failed - Rejected per authorization profile

Mohammed al Baqari — Mon, 19 Feb 2018 10:59:42 GMT

Here is the problem

24325 Resolving identity - GHM120056$@corp.ABC.com
<>

24313 Search for matching accounts at join point - corp.ABC.com
<>

24318 No matching account found in forest - corp.ABC.com
<>

24315 Single matching account found in domain - corp.ABC.com
<>

What is GHM120056$ ? That is shared as identity but can't be evaluated

Re: Authentication failed - Rejected per authorization profile

Ali — Mon, 19 Feb 2018 11:05:51 GMT

Hi Mohammed,

GHM120056 = Machine Id, which is mapped in DHCP(AD)

Re: Authentication failed - Rejected per authorization profile

Mohammed al Baqari — Mon, 19 Feb 2018 11:20:42 GMT

This machine isn't included in your AD search space which is configured in
ISE hence its failing.

For example, if you configure the AD in ISE to search in computers OU while
this machine is assigned in Laptops OU, it won't locate the machine and
will fail. This is happening here.

Re: Authentication failed - Rejected per authorization profile

Ali — Mon, 19 Feb 2018 11:42:18 GMT

Dear Mohammed,
I highly appreciate your response

24325 Resolving identity - GHM120056$@corp.ABC.com
24313 Search for matching accounts at join point - corp.ABC.com
24318 No matching account found in forest - corp.ABC.com
24315 Single matching account found in domain - corp.ABC.com
24323 Identity resolution detected single matching account
24439 Machine Attributes retrieval from Active Directory succeeded - ABC-AD
24422 ISE has confirmed previous successful machine authentication for user in Active Directory
15036 Evaluating Authorization Policy

But, according to logs we can find " Machine Attributes retrieval from Active Directory succeeded" what this result means.

After this its going to Authz profile and then Failing.
Please correct me if i am wrong.

Re: Authentication failed - Rejected per authorization profile

Mohammed al Baqari — Mon, 19 Feb 2018 11:58:42 GMT

You are right. I think I didn't explain it well. Basically after successful
authentication which you pointed it download AD attributes for the machine
and goes to authorization check. None of your authorization policies is
matched using the attributes and its going to default rule which is reject

topic Re: Authentication failed - Rejected per authorization profile in Network Access Control

Authentication failed - Rejected per authorization profile

Re: Authentication failed - Rejected per authorization profile

Re: Authentication failed - Rejected per authorization profile

Re: Authentication failed - Rejected per authorization profile

Re: Authentication failed - Rejected per authorization profile

Re: Authentication failed - Rejected per authorization profile