topic Device Type - Failure Reason: 22017 Selected Identity Source is DenyAccess in Network Access Control

Device Type - Failure Reason: 22017 Selected Identity Source is DenyAccess

bhinder119 — Thu, 02 Apr 2020 20:01:21 GMT

Hi Guys,

I'm having issues authenticating (TACACS+ w/AD) to my routers when I set the device type to "routers". When I try logging in, my prompt gives me access denied. ISE gives the below error: When I set device type to "All Device Types", I'm able to authenticate with no issue. Am I able to edit the authentication policies for my "router" device type? I attached a screenshot of the error.

Thanks!

Failure Reason	22017 Selected Identity Source is DenyAccess
Resolution	Select a different Identity Source

Re: Device Type - Failure Reason: 22017 Selected Identity Source is DenyAccess

Mike.Cifelli — Thu, 02 Apr 2020 23:47:07 GMT

I cant see how your T+ device admin policies are configured, but I would take a look there (located under Work Centers->Device Administration->Device Admin Policy Sets). There are definitely conditions that you can utilize to meet your requirement of how you wish to break the NAD types and/or locations down to push policy that way. It sounds like you are not matching the currently configured policy. See here for more info: https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/Workflow/b_device_administration_2_4.html

Re: Device Type - Failure Reason: 22017 Selected Identity Source is DenyAccess

bhinder119 — Fri, 03 Apr 2020 14:06:11 GMT

That was it! I needed to create a new policy/condition for my "routers" device type group.

Thanks for your help!!