topic Re: ISE MAB for Cisco IP phone without profiling license. in Network Access Control

ISE MAB for Cisco IP phone without profiling license.

ali007 — Thu, 29 Sep 2022 10:55:47 GMT

hi,

I am trying to setup our ISE for Cisco IP phone and we do not have license to support profiling. do you have a step by step guide or something so I can copy it? I have tried everything so far that I know but it wouldnt work as I am keep getting the following error:

resolution: Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.

root cause: Selected Authorization Profile contains ACCESS_REJECT attribute

ISE Version is: 3.2

thanks in advance

Re: ISE MAB for Cisco IP phone without profiling license.

Aref Alsouqi — Thu, 29 Sep 2022 12:30:05 GMT

I think you can create an identity group, importing/moving the phones' MAC addresses into the identity group, and then reference the identity group on the authorization rule. That should match the traffic coming from the phones without relying on profiling at all. The downside of this is that you need to add any additional phone MAC address to the identity group.

Re: ISE MAB for Cisco IP phone without profiling license.

ali007 — Thu, 29 Sep 2022 12:50:08 GMT

Hi Aref.

I have done just that but getting the below error- also, I have only selected "voice domain" in the result profile - is that right?:

Event : 5434 Endpoint conducted several failed authentications of the same scenario

Failure Reason: 15039 Rejected per authorization profile

Resolution: Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.

Root cause: Selected Authorization Profile contains ACCESS_REJECT attribute

Re: ISE MAB for Cisco IP phone without profiling license.

Aref Alsouqi — Thu, 29 Sep 2022 13:08:35 GMT

Yes, voice domain permission would be required. It does seem that the traffic coming from the phones is not matching the right authorization profile. Would you mind sharing sanitized screenshots of your authentication and authorization rules for review?

Re: ISE MAB for Cisco IP phone without profiling license.

ali007 — Thu, 29 Sep 2022 14:17:53 GMT

thanks Aref, I can see the right authZ policy is selected in the logs but still access_reject is chosen:

(check the attached screenshot)

there was a default IP Phone group so I added the MAC to this group statically.

Re: ISE MAB for Cisco IP phone without profiling license.

Aref Alsouqi — Thu, 29 Sep 2022 14:35:35 GMT

Mmm, could you please check in the authorization profile the access type? it is the first option when you open up the authorization profile, and it should be set to "ACCESS_ACCEPT", maybe it was set to "ACCESS_REJECT" accidentally?!

Re: ISE MAB for Cisco IP phone without profiling license.

andrewswanson — Thu, 29 Sep 2022 14:39:28 GMT

The "Event : 5434 Endpoint conducted several failed authentications of the same scenario" message suggests the client is being blacklisted by ISE - see thread below:

https://community.cisco.com/t5/network-access-control/ise-and-failed-authentications-conducted-by-endpoints/td-p/2971530

hth

Andy

Re: ISE MAB for Cisco IP phone without profiling license.

ali007 — Thu, 29 Sep 2022 14:40:44 GMT

its definitely set to Access_Accept - checked it many times over.

Re: ISE MAB for Cisco IP phone without profiling license.

Aref Alsouqi — Thu, 29 Sep 2022 14:49:30 GMT

Could you please try to create an new authorization profile from the scratch, not by cloning the existing one, and apply it to the authorization rule and see if that makes any difference?

Re: ISE MAB for Cisco IP phone without profiling license.

ali007 — Thu, 29 Sep 2022 15:04:19 GMT

tried that over a few times as well.

The only thing selected in authorization result profile is voice domain
though and access-accept

Re: ISE MAB for Cisco IP phone without profiling license.

Aref Alsouqi — Thu, 29 Sep 2022 15:18:03 GMT

Can you please share the complete failure log page as a screenshot for review?

Re: ISE MAB for Cisco IP phone without profiling license.

ali007 — Thu, 29 Sep 2022 15:35:30 GMT

sure, please see atatched:

Re: ISE MAB for Cisco IP phone without profiling license.

ali007 — Thu, 29 Sep 2022 15:51:16 GMT

thanks Andrew, there's no anomalous client supression settings in "Administration > System > Settings > Radius, Suppress Anomalous Clients" as the thread suggests. we are running version 3 patch 2.

Re: ISE MAB for Cisco IP phone without profiling license.

Aref Alsouqi — Thu, 29 Sep 2022 16:02:14 GMT

Thanks. It seems ISE is complaining about the network device profile. What network device profile have you selected in the phones authorization profile? that option should be the second from top. Could you please try to set that to "any" and see if this makes any difference?