topic Re: authentication failed, Error 15039 rejected per authorization prof in Network Access Control

authentication failed, Error 15039 rejected per authorization profile

Amen — Mon, 11 Apr 2022 12:59:32 GMT

On ISE version 3.0.0.458 - Patch 2, I have 15 clients facing this issue :

The Port config :-

authentication periodic

authentication timer reauthenticate server

access-session control-direction in

access-session port-control auto

mab

dot1x pae authenticator

dot1x timeout tx-period 5

policy-map type control subscriber DOT1X-DEFAULT

event session-started match-all

10 class always do-until-failure

10 authenticate using mab priority 20

20 authenticate using dot1x priority 10

event violation match-all

10 class always do-all

10 restrict

event authentication-failure match-first

10 class AAA-DOWN do-all

10 authorize

20 activate service-template CRITICAL

30 terminate dot1x

40 terminate mab

20 class DOT1X-FAILED do-all

10 terminate dot1x

20 authenticate using mab

22 class DOT1X_TIMEOUT do-all

10 terminate dot1x

20 authenticate using mab

24 class DOT1X_NO-RESP do-all

10 terminate dot1x

20 authenticate using mab

30 class MAB-FAILED do-all

10 activate service-template QUARANTINE

20 authorize

30 terminate dot1x

40 terminate mab

event agent-found match-all

10 class always do-all

10 terminate mab

20 authenticate using dot1x

service-policy type control subscriber DOT1X-DEFAULT

another profile

policy-map type control subscriber DOT1X-RETRY

event session-started match-all

10 class always do-until-failure

10 authenticate using mab priority 20

20 authenticate using dot1x priority 10

event violation match-all

10 class always do-all

10 restrict

event authentication-failure match-first

10 class AAA-DOWN do-all

10 authorize

20 activate service-template CRITICAL

30 terminate dot1x

40 terminate mab

20 class DOT1X-FAILED do-all

10 terminate dot1x

20 authenticate using mab

22 class DOT1X_TIMEOUT do-all

10 terminate dot1x

20 authenticate using mab

24 class DOT1X_NO-RESP do-all

10 terminate dot1x

20 authenticate using mab

30 class MAB-FAILED do-all

10 authenticate using dot1x retries 2 retry-time 0 priority 10

20 set-timer WAIT 10

30 activate service-template QUARANTINE

40 authorize

50 terminate dot1x

60 terminate mab

event agent-found match-all

10 class always do-all

10 terminate mab

20 authenticate using dot1x retries 2 retry-time 0 priority 10

Can anyone advise if I am facing a bug or something that I can try to do to avoid this problem,?

Re: authentication failed, Error 15039 rejected per authorization prof

Mike.Cifelli — Mon, 11 Apr 2022 13:13:11 GMT

Can anyone advise if I am facing a bug or something that I can try to do to avoid this problem,?

-These clients seem to be hitting the default authz policy for onboarding. I would look into why these clients are not matching on the authz condition that you intend on them matching for your desired authz profile result by verifying your policy buildout/structure. Are all clients having this issue or just the 15 mentioned?

Re: authentication failed, Error 15039 rejected per authorization prof

Amen — Mon, 11 Apr 2022 13:37:30 GMT

only 15 client from more than a 100 are facing this issue.

and it was working fine before.

The problem occurs sporadically.
After deactivating 802.1x on this network port, the problem disappears, then it can be activated again, then it works for a certain time.

Re: authentication failed, Error 15039 rejected per authorization prof

Mike.Cifelli — Mon, 11 Apr 2022 13:37:06 GMT

I would recommend doing the following:

-Take a known good and known bad client, and then do a step by step comparison of the onboarding workflow for each. This should narrow down the issue. I am assuming that the issue is in your ISE authz policies with the 15 clients not matching on the desired policy.

Re: authentication failed, Error 15039 rejected per authorization prof

Amen — Mon, 11 Apr 2022 13:43:17 GMT

the policies/configurations are the same for all 700-750 clients.

Re: authentication failed, Error 15039 rejected per authorization prof

MHM Cisco World — Mon, 11 Apr 2022 21:11:16 GMT

You are hitting an Authorization Police - Rule Name: Default, that has a Results Profiles - DenyAccess.

in Policy > Policy Set > select the Policy Sets, double check the Authorization Policy configuration.

Re: authentication failed, Error 15039 rejected per authorization prof

Greg Gibbs — Mon, 11 Apr 2022 22:45:31 GMT

It's tough to say without more detail on how your policies are configured, but you might be running into an issue with how Concurrent Auth works (which, technically, ISE does not understand).

At reauth, the switch may be trying MAB first. If you have a default AuthZ Policy that sends an ACCESS_REJECT, it will cause a race condition (since MAB happens faster than dot1x) where the supplicant fails auth and stops trying for a retry period. A best practice when using Concurrent Auth is to have a default AuthZ Policy that sends an ACCESS_ACCEPT with a restrictive DACL. That will keep the supplicant happy until dot1x completes and successfully reauths.

Using Sequential Auth as per the configuration in the Secure Wired Access Prescriptive Deployment Guide will resolve this issue.

You can also try using the 'termination-action-modifier=1' attribute to mitigate the reauth issue as described in this post:

CPL Template MAB/Dot1x Simultaneously