https://community.cisco.com/t5/network-access-control/ise-authorization-policy/m-p/2384239#M89201 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>it is obvious that you are not matching any condition.</P><P>rather than keeping the condition blank, fill it with a condition that is always match and try if that helps.</P><P></P><P>Regards,</P><P></P><P>Amjad</P><P></P><P><SPAN style="color: blue;">Rating useful replies is more useful than saying <SPAN style="color: green;"> "<SPAN style="text-decoration: underline;">Thank you</SPAN>"</SPAN></SPAN></P></BODY></HTML> Thu, 19 Dec 2013 06:54:03 GMT Amjad Abdullah 2013-12-19T06:54:03Z https://community.cisco.com/t5/network-access-control/ise-authorization-policy/m-p/2384238#M89199 <P>Hey guys,</P><P></P><P>I have a question regarding ISE Authorization Policy. In my test lab, I don't have any wired station, and what I have is a wireless lapotp. I have configured to allow only EAP-TLS authentication. Now, my problem is I keep getting "15039 Rejected per authorization profile."</P><P></P><P>Under the <STRONG>Policy &gt; Authorization,</STRONG> I created a rule where I just want to allow on EAP-TLS either via machine or user identity, and the bottom is the default DenyAccess. When I tried to join the wireless network, I kept getting denied. I checked the ACL counters on the WLC side and it was not increasing. </P><P>I changed the default DenyAccess to PermitAccess, and I was able to join the wireless network no problem, and the ACL counters on the WLC side increased.</P><P></P><P>It seems like I am hitting the default Authorization Policy first which is on the bottom of the authorization policy.</P><P>I attached the failed and authenticated logs that I got from ISE.</P><P></P><P>Has anyone have encoutered this issue?</P><P>The version that I have is 1.1.1</P><P></P><P></P><P>Thanks</P><P></P><P></P><P>P.S. </P><P>I went back to check my autorization condition, and it is blank (See the 1st screenshot)</P> Mon, 11 Mar 2019 04:12:08 GMT https://community.cisco.com/t5/network-access-control/ise-authorization-policy/m-p/2384238#M89199 steelinquisitor 2019-03-11T04:12:08Z https://community.cisco.com/t5/network-access-control/ise-authorization-policy/m-p/2384239#M89201 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>it is obvious that you are not matching any condition.</P><P>rather than keeping the condition blank, fill it with a condition that is always match and try if that helps.</P><P></P><P>Regards,</P><P></P><P>Amjad</P><P></P><P><SPAN style="color: blue;">Rating useful replies is more useful than saying <SPAN style="color: green;"> "<SPAN style="text-decoration: underline;">Thank you</SPAN>"</SPAN></SPAN></P></BODY></HTML> Thu, 19 Dec 2013 06:54:03 GMT https://community.cisco.com/t5/network-access-control/ise-authorization-policy/m-p/2384239#M89201 Amjad Abdullah 2013-12-19T06:54:03Z