topic Re: context visibility endpoints rejected while radius live session authorized in Network Access Control

context visibility endpoints rejected while radius live session authorized

wael.vs — Thu, 17 Jun 2021 07:00:40 GMT

dear cisco community

can someone please explain to me the below scenario.

we have polycom IP-Phones connected to our network, we used profiling to authorize the phones.

most of them works fine, but some of them shows as (15039 Rejected per authorization profile)

while in the Radius live log they seem to be authorized to the correct profile.

is it normal for the context visibility endpoint and the radius live logs to be like this, is the endpoint authorized or not.

please check the attached screenshots, your support is highly appreciated

Re: context visibility endpoints rejected while radius live session authorized

Marcelo Morais — Thu, 17 Jun 2021 16:45:31 GMT

Hi @wael.vs ,

please check the Context Visibility info not in the main Context Visibility page, but inside the "Context Visibility's MAC Addr" and check the Authentication tab.

Note: check the CSCvj20453 Mismatch information in Context visibility.

Hope this helps !!!

Re: context visibility endpoints rejected while radius live session authorized

thomas — Sun, 27 Jun 2021 23:35:44 GMT

What does the RADIUS LiveLog 📄 Details say about your Polycom-* Authorization Result?

Does it contain an Access-Reject since that is what the message means:

15039 Selected Authorization Profile contains ACCESS_REJECT attribute

Hard to tell if those are the same sessions since the details are not show or obscured for privacy.

Re: context visibility endpoints rejected while radius live session authorized

hslai — Mon, 05 Jul 2021 03:39:22 GMT

This is a current limitation in ISE context visibility, such that the failure reason gets the last value and does not get cleaned up after a success auth.