Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
26979
Views
0
Helpful
18
Replies

15039 Rejected per authorization profile

Adnan Ahmad
Level 1
Level 1

‎03-20-2018 03:28 PM - edited ‎02-21-2020 10:51 AM

Hello experts,

 

I am getting the following error when I use dot1x with local user authen on ISE.

Switchport configuration is below:

 

inter gig1/0/9
switchport
switchport mode access
switchport voice vlan 221
authen port-control auto
authen hsot-mode multi-auth
authen order mab dot1x
authen priority dot1x mab
mab
dot1x pae authen
exit

 

after trying a few times it registers with MAB authen which I dont want. the vlan is downloaded from Dacl.

 

I need to solve this issue ASAP, please can someone help in this regards. Im new to ISE so if you need any further info please let me know.

 

thanks in advance.

Regards,

Adnan

 

ISE-Error.jpg

4 people had this problem
Labels:
0 Helpful
18 Replies 18

Adnan Ahmad
Level 1
Level 1
In response to Rob Ingram

‎03-21-2018 08:40 AM

Hi,

 

Below is the output of "show authen session inter gig1/0/14" for the TCP dump file I will create it in a while and share with you.

 


Interface    MAC Address    Method  Domain  Status Fg Session ID
----------------------------------------------------------------------
Gi1/0/14     0050.56ae.231b mab     DATA    Auth      0A640816000000EB16BE55B0
Gi1/0/14     5000.0017.0000 mab     DATA    Unauth    0A640816000000EE16BF081C
Gi1/0/14     346f.9016.d825 mab     VOICE   Auth      0A640816000000EC16BEA5F8
Gi1/0/14     5000.0002.0000 mab     DATA    Auth      0A640816000000ED16BEE903


Key to Session Events Blocked Status Flags:

  A - Applying Policy (multi-line status for details)
  D - Awaiting Deletion
  F - Final Removal in progress
  I - Awaiting IIF ID allocation
  N - Waiting for AAA to come up
  P - Pushed Session
  R - Removing User Profile (multi-line status for details)
  U - Applying User Profile (multi-line status for details)
  X - Unknown Blocker

Runnable methods list:
  Handle  Priority  Name
          
    6        5      dot1x
    20       10     mab
    18       15     webauth

0 Helpful

Rob Ingram
VIP
VIP
In response to Adnan Ahmad

‎03-21-2018 08:46 AM

The output should look like this:

 

LAB-SWI#show authentication sessions interface fastEthernet 0/3
            Interface:  FastEthernet0/3
          MAC Address:  000c.298b.4567
           IP Address:  192.168.11.101
            User-Name:  host/WIN7-PC.network.local
               Status:  Authz Success
               Domain:  DATA
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  multi-host
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  N/A
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  C0A80A0100000B4B244D0EA1
      Acct Session ID:  0x00000B52
               Handle:  0xF9000B4C

Runnable methods list:
       Method   State
       dot1x    Authc Success

What you provided it not what I was looking for. What switch model and version are you running? Are you sure you run the correct command as I specified? I can get the same output as you provided but using the command "show authentication interface fas 0/3" but that is not what I want to see.

0 Helpful

Adnan Ahmad
Level 1
Level 1
In response to Rob Ingram

‎03-21-2018 11:03 AM

Hi,

Yes I have configured globally "dot1x system-auth-control".

 

For me I have 3750 E with 15.2 ios version. So the following output I gets when I say "show authen session inter gig1/0/14"

 


Interface    MAC Address    Method  Domain  Status Fg Session ID
----------------------------------------------------------------------
Gi1/0/14     0050.56ae.231b mab     DATA    Auth      0A640816000000EB16BE55B0
Gi1/0/14     0050.56ae.d5b5 mab     DATA    Auth      0A640816000000F016D9EA2D
Gi1/0/14     5000.0017.0000 mab     DATA    Unauth    0A640816000000EE16BF081C
Gi1/0/14     346f.9016.d825 mab     VOICE   Auth      0A640816000000EC16BEA5F8
Gi1/0/14     5000.0002.0000 mab     DATA    Auth      0A640816000000ED16BEE903


Key to Session Events Blocked Status Flags:

  A - Applying Policy (multi-line status for details)
  D - Awaiting Deletion
  F - Final Removal in progress
  I - Awaiting IIF ID allocation
  N - Waiting for AAA to come up
  P - Pushed Session
  R - Removing User Profile (multi-line status for details)
  U - Applying User Profile (multi-line status for details)
  X - Unknown Blocker

Runnable methods list:
          
  Handle  Priority  Name
    6        5      dot1x
    20       10     mab
    18       15     webauth

 

 

0 Helpful

Rob Ingram
VIP
VIP
In response to Adnan Ahmad

‎03-21-2018 11:12 AM

From your previous output you cannot see dot1x under the method status list, that would indicate to me it wasn't run.

 

Method status list:
       Method           State

       mab              Authc Success

 

Set the authentication order to be dot1x then mab, try again.

 

A packet capture on the radius server would indicate whether dot1x was run or not. Also runnning a debug on the switch at the same time you attempt to authenticate.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents