https://community.cisco.com/t5/network-access-control/ise-ver-2-7-authentication-error/m-p/4116777#M561631 <P>How does policy on ISE looks like?</P> Fri, 10 Jul 2020 18:43:34 GMT marius.jakevicius 2020-07-10T18:43:34Z https://community.cisco.com/t5/network-access-control/ise-ver-2-7-authentication-error/m-p/4116751#M561630 <P>I istalled an ISE server recently ,configured by Cisco Switch for tacacs authentication,</P><P>&nbsp;</P><P>I constantly get failed login attempts while trying to login.</P><P>&nbsp;</P><P>Attached herewith is the error log. Below is my switch Configuration:</P><P>&nbsp;</P><P>aaa group server tacacs+ ISE-DMO<BR />server 16.128.15.75<BR />server-private 16.128.15.75 key&nbsp; man&amp;woman<BR />!<BR />aaa authentication login default group tacacs+ local<BR />aaa authentication enable default group tacacs+ enable<BR />aaa authentication dot1x default group packetfence<BR />aaa authorization exec default group tacacs+ local<BR />aaa authorization network default group packetfence<BR />aaa accounting commands 1 default start-stop group tacacs+<BR />aaa accounting commands 7 default start-stop group tacacs+<BR />aaa accounting commands 15 default start-stop group tacacs+</P><P>&nbsp;</P><P>&nbsp;</P><P>tacacs-server host 16.128.15.75<BR />tacacs-server directed-request<BR />radius-server host 10.128.10.150 auth-port 1812 acct-port 1813 timeout 2 key&nbsp;man&amp;men<BR />radius-server vsa send authentication<BR />!<BR />control-plane<BR />!<BR />!<BR />line con 0<BR />line vty 0 4<BR />password done2020<BR />line vty 5 15<BR />password done2020</P> Fri, 10 Jul 2020 17:50:47 GMT https://community.cisco.com/t5/network-access-control/ise-ver-2-7-authentication-error/m-p/4116751#M561630 okoroji80 2020-07-10T17:50:47Z https://community.cisco.com/t5/network-access-control/ise-ver-2-7-authentication-error/m-p/4116777#M561631 <P>How does policy on ISE looks like?</P> Fri, 10 Jul 2020 18:43:34 GMT https://community.cisco.com/t5/network-access-control/ise-ver-2-7-authentication-error/m-p/4116777#M561631 marius.jakevicius 2020-07-10T18:43:34Z https://community.cisco.com/t5/network-access-control/ise-ver-2-7-authentication-error/m-p/4116824#M561633 <P>Hello Marius.,</P><P>&nbsp;</P><P>Attached is my policy set on the ISE.</P><P>&nbsp;</P><P>thank you</P> Fri, 10 Jul 2020 21:02:17 GMT https://community.cisco.com/t5/network-access-control/ise-ver-2-7-authentication-error/m-p/4116824#M561633 okoroji80 2020-07-10T21:02:17Z https://community.cisco.com/t5/network-access-control/ise-ver-2-7-authentication-error/m-p/4117043#M561641 <P>Both of your two non-default authorization rules have conditions on user identity groups. ISE appears not finding the user in either groups so it applies the default; hence, Deny All Shell Profile.</P> Sat, 11 Jul 2020 18:29:30 GMT https://community.cisco.com/t5/network-access-control/ise-ver-2-7-authentication-error/m-p/4117043#M561641 hslai 2020-07-11T18:29:30Z https://community.cisco.com/t5/network-access-control/ise-ver-2-7-authentication-error/m-p/4117098#M561645 <P>Kindly advice on the steps to have this resolved&nbsp;</P><P>&nbsp;</P><P>thanks</P> Sat, 11 Jul 2020 21:47:33 GMT https://community.cisco.com/t5/network-access-control/ise-ver-2-7-authentication-error/m-p/4117098#M561645 okoroji80 2020-07-11T21:47:33Z https://community.cisco.com/t5/network-access-control/ise-ver-2-7-authentication-error/m-p/4117103#M561647 <P><SPAN class=""><A id="link_35" class="lia-link-navigation lia-page-link lia-user-name-link" href="https://community.cisco.com/t5/user/viewprofilepage/user-id/284822" target="_self">okoroji80,</A></SPAN></P> <P><SPAN class="">Please verify whether the user in one of the user groups.</SPAN></P> <P><SPAN class="">Or, you may change the shell profile and the command set for the default rule and give some limited access.</SPAN></P> Sat, 11 Jul 2020 23:01:38 GMT https://community.cisco.com/t5/network-access-control/ise-ver-2-7-authentication-error/m-p/4117103#M561647 hslai 2020-07-11T23:01:38Z