Solved: Re: 15022 Could not find selected Access Service - Cisco ISE 2.4

drivera_ · ‎11-26-2018

Hi everybody. Right now I'm having an issue when connecting an endpoint. This endpoint can't have a successful authorization access because it generates the error "15022 Could not find selected Access Service". I'm looking for the root cause of this error online, but I haven't found anything yet. I will apprecciate any help someone can give me. I attached the error generated.

Thank you in advance.

drivera_ · ‎12-10-2018

Hi everybody, we found the solution!

The issue was with the Active Directory sync, because the AD clock was not syc with the PSNs clocks. Thank you so much for your help.

View solution in original post

pan · ‎11-26-2018

You may have to check allowed protocol. Try using default allowed protocol.

drivera_ · ‎11-26-2018

Hi,

You mean by activating de Default Network Access option? I attached two files, but right now we have configured two custom options on Allowed Protocols. I'm confused.

Dustin Anderson · ‎11-26-2018

Can you show the step data?

How are the clients authenticating? User/pass, cert etc?

Is it all the same devices, or just one?

drivera_ · ‎11-27-2018

We have the next envirnoment: 3 PSN, 2 PAN, and 2 MnMT. We only have configured dot1x and MAB for now, and we're testing only Wired network devices. We're using EAP-TLS and PEAP with dot1X and Internal Endpoints for mab. I have attached images of all the configuratinos we have set. There are several users with the same problem, and even when every endpoint has his certificate, it failed dot1x and starts MAB, sometimes failing too.

I will apprecciate any help you guys can give me.

Sheraz.Salim · ‎11-28-2018

just curious what config you have on switch side.

have you follow the best cisco ISE config on switch side

please do not forget to rate.

pan · ‎11-26-2018

Please use "Default network access" shown in first attachment. Also what method you are using for authentication?

drivera_ · ‎11-27-2018

We have the next envirnoment: 3 PSN, 2 PAN, and 2 MnMT. We only have configured dot1x and MAB for now, and we're testing only Wired network devices. We're using EAP-TLS and PEAP with dot1X and Internal Endpoints for mab. I have attached images of all the configuratinos we have set. There are several users with the same problem, and even when every endpoint has his certificate, it failed dot1x and starts MAB, sometimes failing too.

I will apprecciate any help you guys can give me.

Surendra · ‎11-27-2018

Would suggest you to check the configuration at Policy > Policy Sets > Authentication. Here check every policy set for the section "Allowed Protocols / Server Sequence". See if any policy set has an empty one. If yes, choose one and save the config.

drivera_ · ‎11-28-2018

@Surendra wrote:

Would suggest you to check the configuration at Policy > Policy Sets > Authentication. Here check every policy set for the section "Allowed Protocols / Server Sequence". See if any policy set has an empty one. If yes, choose one and save the config.

Hi surendra. I checked that and everything is OK with that. All policy sets have the field "Allowed Protocols / Server Sequence" with a service list.

Nidhi · ‎11-26-2018

Please raise a TAC case to troubleshoot this further.

Sheraz.Salim · ‎11-28-2018

seem to me your authorization rules are not define properly.

you need to be more specific narrow it down for exmaple if

network access-EapTunnel = Peap MSCAP than permit

please do not forget to rate.

drivera_ · ‎12-10-2018

Hi everybody, we found the solution!

The issue was with the Active Directory sync, because the AD clock was not syc with the PSNs clocks. Thank you so much for your help.

gold.pigeon · ‎10-05-2019

When upgrading from Cisco ISE v2.2 to Cisco ISE v2.4 either an oridinary upgrade or an re-image to v2.4 followed by a restore from backup, I ran into the issue that some policy sets were missing the settings for Allowed Protocols.

When re-selecting the right allowed protocol, it works again.

CCIE Security #53075 | Aruba ACCX #703