topic Re: troubleshooting over not functioning credentials in Network Access Control

troubleshooting over not functioning credentials

maring13482 — Fri, 08 Jan 2021 13:46:06 GMT

We need to access to some Cisco devices in a ISE managed infrastructure.

we theoretically have been granted access with multiple credentials but now only a few of them work. The others seems not to be authorized (error "Unable to authorize access.")

I've tried to troubleshoot this in the ISE But I can't figure out what's the matter with our non functioning credentials. Here is a compare between Username1 (working) and username2 (not working)

Can anyone tell me where exactly to look in those logs in order to troubleshoot problems like this?

thanks!

Re: troubleshooting over not functioning credentials

Damien Miller — Fri, 08 Jan 2021 17:17:27 GMT

The log on the right, which is resulting in an access reject, appears to be matching the username/AD account in a different domain, possibly across a two way trust in the AD config. If this is the case, the AD groups mapped in the Authz for access may not exist in the other domain. At least that's one possible scenario here.

You can do some AD test authentications and look to see the difference between user1 and user 2. Do this from the External ID sources page.
https://<ise admin node>/admin/#administration/administration_identitymanagement/administration_identitymanagement_external

Re: troubleshooting over not functioning credentials

maring13482 — Wed, 13 Jan 2021 10:05:28 GMT

I've tried authenticating both users through the tool you've suggested and I've noted no difference between the two. There just one AD server configured as an external identity source and it's successful for both

Re: troubleshooting over not functioning credentials

Panos Bouras — Fri, 15 Jan 2021 10:15:39 GMT

hi @maring13482 ,

The access rejects comes from your authorization rules, not your authentication.

Please check your authorization rules, share them if you need more help.

Re: troubleshooting over not functioning credentials

maring13482 — Tue, 19 Jan 2021 16:04:21 GMT

I don't really know much of the ISE's lingo. Here is the closest thing to "authorization rules" that I've found (looking through some documentation searching for "authorization rule", I've found some reference to policy sets)

Re: troubleshooting over not functioning credentials

Panos Bouras — Mon, 25 Jan 2021 17:14:30 GMT

Hi @maring13482

I apologize for using ISE lingo.
You found your policy sets which is a good starting point, next if you click on the ">" on your corresponding policy e.g. WIFI_802.1X you'll find the authorization rules. There you must observe the options that must match in order for an authorization policy to succeed, this could be a range of things like use must belong to specific AD group, or for a specific SSID or/ and specific hour.

As policies can be either very simple or to complex there's no way to guide you without specific requirements.

We can try if it's a one off situation, but is always recommended to hire an ISE consultant, especially if you're in an security "sensitive" environment.

Also have a look at https://www.network-node.com/ for some good videos on ISE.