topic 15039 Rejected per authorization profile in Network Access Control

15039 Rejected per authorization profile

gurbinder.kabbay — Mon, 24 Feb 2020 18:46:08 GMT

Hi Experts,

I am testing one use case in ISE, where the ise is not authorizing the AD user. when I am testing this AD user from switch with command : test aaa group radius username@AD.com Password new-code, then its saying :

User successfully authenticated

USER ATTRIBUTES

username 0 "Username"
tunnel-type 1 13 [vlan]
tunnel-medium-type 1 6 [ALL_802]
tunnel-private-group 1 "IT"

Means, its successfully authenticated and getting authorization as well. But when I am testing from end point its giving me below error, please provide the workaround where I am missing something.

its ACCESS_ACCEPT in authorization profile, dont know why its saying in root cause: Authorization Profile with ACCESS_REJECT attribute

Event	5400 Authentication failed
Failure Reason	15039 Rejected per authorization profile
Resolution	Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.
Root cause	Selected Authorization Profile contains ACCESS_REJECT attribute

Also mentioning all the steps , which its Performing during this process.

	11001	Received RADIUS Access-Request
	11017	RADIUS created a new session
	11027	Detected Host Lookup UseCase (Service-Type = Call Check (10))
	15049	Evaluating Policy Group
	15008	Evaluating Service Selection Policy
	15048	Queried PIP - DEVICE.Device Type
	15041	Evaluating Identity Policy
	15048	Queried PIP - Normalised Radius.RadiusFlowType
	15013	Selected Identity Source - Internal Endpoints
	24209	Looking up Endpoint in Internal Endpoints IDStore - 00:50:56:5D:D5:2A
	24211	Found Endpoint in Internal Endpoints IDStore
	22037	Authentication Passed
	24715	ISE has not confirmed locally previous successful machine authentication for user in Active Directory
	15036	Evaluating Authorization Policy
	24432	Looking up user in Active Directory - AD.com
	24325	Resolving identity - 00-50-56-5D-D5-2A
	24313	Search for matching accounts at join point - AD.com
	24318	No matching account found in forest - AD.com
	24322	Identity resolution detected no matching account
	24352	Identity resolution failed - ERROR_NO_SUCH_USER
	24412	User not found in Active Directory - AD.com
	15048	Queried PIP - AD.com.ExternalGroups (3 times)
	15016	Selected Authorization Profile - DenyAccess
	15039	Rejected per authorization profile
	11003	Returned RADIUS Access-Reject

Re: 15039 Rejected per authorization profile

Greg Gibbs — Mon, 24 Feb 2020 21:57:05 GMT

As per Step Data:

24325

Resolving identity - 00-50-56-5D-D5-2A

ISE is trying to resolve identity for the endpoint MAC address, so this is MAB. As such, the session is falling to the Default AuthZ Policy, which is Deny Access (with a result of ACCESS-REJECT).

There is likely an issue with your 802.1x configuration and the client is either not responding or failing 802.1x and falling back to MAB.

I would suggest reviewing the ISE Secure Wired Access Prescriptive Guide and comparing it against your environment. If all else fails, you might need to open a TAC case to get assistance with taking debugs and packet captures to investigate the end-to-end flow.

Cheers,

Greg

Re: 15039 Rejected per authorization profile

gurbinder.kabbay — Tue, 25 Feb 2020 13:12:14 GMT

Thanks Greg,

you are right, its doing MAB only. because of CPL, dot1x and MAB is happening at same time and i am getting ACCESS_REJECT.

I am using below CPL config, could you please give me sample of CPL config , in which i can only do dot1x. because its something CSCuy05270 is hitting this.

CPL config:

class-map type control subscriber match-any AAA-DOWN
match result-type aaa-timeout
!
class-map type control subscriber match-all DOT1X-FAILED
match method dot1x
match result-type method dot1x authoritative
!
ip access-list extended ACL-ALLOW
permit ip any any
!
service-template CRITICAL
access-group ACL-ALLOW
!
policy-map type control subscriber DOT1X-DEFAULT
event session-started match-all
10 class always do-all
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20
event violation match-all
10 class always do-all
10 restrict
event agent-found match-all
10 class always do-all
10 authenticate using dot1x
event authentication-failure match-all
10 class AAA-DOWN do-all
10 authorize
20 activate service-template CRITICAL
30 terminate dot1x
40 terminate mab
20 class DOT1X-FAILED do-all
10 authenticate using mab

Interface Config:

interface range g2/0/24
switchport host
switchport access vlan 100
service-policy type control subscriber DOT1X-DEFAULT
authentication periodic
authentication timer reauthenticate server
mab
access-session host-mode multi-auth
dot1x timeout tx-period 10
access-session port-control auto
!

Result

RadiusPacketType	AccessReject
AuthenticationResult	Passed
UserName	00:50:56:5D:D5:2A

Re: 15039 Rejected per authorization profile

Greg Gibbs — Tue, 25 Feb 2020 22:38:51 GMT

When using Concurrent Auth, you will always see a MAB session followed by a dot1x session when the switch sees an EAPOL from the client. With the correct C3PL policy, the dot1x session will override the initial MAB session for the same MAC address.

If you are not using the C3PL configuration recommended in the Prescriptive Guide, I would suggest having a look at this example that uses Concurrent Auth.

Configure IBNS 2.0 for Single-Host and Multi-Domain Scenarios

One thing that stands out is that your first 'class' command should be:

10 class always do-until-failure

There are many variables here, so I'm not sure if that is causing your specific issue but it should definitely changed.

If you're using the same C3PL policy as the example above and still having issue, you will likely need to start looking at what's happening on the client side via logs and packet captures.

Re: 15039 Rejected per authorization profile

gurbinder.kabbay — Wed, 26 Feb 2020 12:18:07 GMT

Thanks very much Greg,

its working now after giving the command "dot1x pae authenticator" under interface (to which end point is connected). I am able to assign the IPs to AD users according to their groups like IT group will get vlan 10 IP and Sales will get 20.

the only doubt I have that: in ISE (live logs) the IP information is not coming against end points.

Regards,

Garry

Re: 15039 Rejected per authorization profile

Cristian Matei — Wed, 26 Feb 2020 14:59:29 GMT

Hi,

Do you have RADIUS accounting and device tracking configured?

Regards,

Cristian Matei.

Re: 15039 Rejected per authorization profile

gurbinder.kabbay — Wed, 26 Feb 2020 18:24:14 GMT

Hi Cristian,

where and how i should enable (RADIUS accounting and device tracking) it? could you please guide me.

Regards,

Garry