Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
36806
Views
0
Helpful
6
Replies

15039 Rejected per authorization profile

gurbinder.kabbay
Level 1
Level 1

‎02-24-2020 10:46 AM

Hi Experts,

 

I am testing one use case in ISE, where the ise is not authorizing the AD user. when I  am testing this AD user from switch with command : test aaa group radius username@AD.com Password new-code, then its saying :


User successfully authenticated

USER ATTRIBUTES

username 0 "Username"
tunnel-type 1 13 [vlan]
tunnel-medium-type 1 6 [ALL_802]
tunnel-private-group 1 "IT"

 

Means, its successfully authenticated and getting authorization as well. But when I am testing from end point its giving me below error, please provide the workaround where I am missing something.

its ACCESS_ACCEPT in authorization profile, dont know why its saying in root cause: Authorization Profile with ACCESS_REJECT attribute 

Event5400 Authentication failed
Failure Reason15039 Rejected per authorization profile
ResolutionAuthorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.
Root causeSelected Authorization Profile contains ACCESS_REJECT attribute

 

Also mentioning all the steps , which its Performing during this process.

 11001Received RADIUS Access-Request
 11017RADIUS created a new session
 11027Detected Host Lookup UseCase (Service-Type = Call Check (10))
 15049Evaluating Policy Group
 15008Evaluating Service Selection Policy
 15048Queried PIP - DEVICE.Device Type
 15041Evaluating Identity Policy
 15048Queried PIP - Normalised Radius.RadiusFlowType
 15013Selected Identity Source - Internal Endpoints
 24209Looking up Endpoint in Internal Endpoints IDStore - 00:50:56:5D:D5:2A
 24211Found Endpoint in Internal Endpoints IDStore
 22037Authentication Passed
 24715ISE has not confirmed locally previous successful machine authentication for user in Active Directory
 15036Evaluating Authorization Policy
 24432Looking up user in Active Directory - AD.com
 24325Resolving identity - 00-50-56-5D-D5-2A
 24313Search for matching accounts at join point - AD.com
 24318No matching account found in forest - AD.com
 24322Identity resolution detected no matching account
 24352Identity resolution failed - ERROR_NO_SUCH_USER
 24412User not found in Active Directory - AD.com
 15048Queried PIP - AD.com.ExternalGroups (3 times)
 15016Selected Authorization Profile - DenyAccess
 15039Rejected per authorization profile
 11003Returned RADIUS Access-Reject

 

2 people had this problem
0 Helpful
6 Replies 6

Greg Gibbs
Cisco Employee
Cisco Employee

‎02-24-2020 01:57 PM

As per Step Data:

  24325 Resolving identity - 00-50-56-5D-D5-2A

 

ISE is trying to resolve identity for the endpoint MAC address, so this is MAB. As such, the session is falling to the Default AuthZ Policy, which is Deny Access (with a result of ACCESS-REJECT).

There is likely an issue with your 802.1x configuration and the client is either not responding or failing 802.1x and falling back to MAB.

 

I would suggest reviewing the ISE Secure Wired Access Prescriptive Guide and comparing it against your environment. If all else fails, you might need to open a TAC case to get assistance with taking debugs and packet captures to investigate the end-to-end flow.

 

Cheers,

Greg

0 Helpful

gurbinder.kabbay
Level 1
Level 1
In response to Greg Gibbs

‎02-25-2020 02:04 AM - edited ‎02-25-2020 05:12 AM

Thanks Greg,

you are right, its doing MAB only. because of CPL, dot1x and MAB is happening at same time and i am getting ACCESS_REJECT.

I am using below CPL config, could you please give me sample of CPL config , in which i can only do dot1x. because its something CSCuy05270 is hitting this.

CPL config:

class-map type control subscriber match-any AAA-DOWN
match result-type aaa-timeout
!
class-map type control subscriber match-all DOT1X-FAILED
match method dot1x
match result-type method dot1x authoritative
!
ip access-list extended ACL-ALLOW
permit ip any any
!
service-template CRITICAL
access-group ACL-ALLOW
!
policy-map type control subscriber DOT1X-DEFAULT
event session-started match-all
10 class always do-all
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20
event violation match-all
10 class always do-all
10 restrict
event agent-found match-all
10 class always do-all
10 authenticate using dot1x
event authentication-failure match-all
10 class AAA-DOWN do-all
10 authorize
20 activate service-template CRITICAL
30 terminate dot1x
40 terminate mab
20 class DOT1X-FAILED do-all
10 authenticate using mab

!

Interface Config:

interface range g2/0/24
switchport host
switchport access vlan 100
service-policy type control subscriber DOT1X-DEFAULT
authentication periodic
authentication timer reauthenticate server
mab
access-session host-mode multi-auth
dot1x timeout tx-period 10
access-session port-control auto
!

 

Result

RadiusPacketTypeAccessReject
AuthenticationResultPassed
UserName00:50:56:5D:D5:2A
0 Helpful

Greg Gibbs
Cisco Employee
Cisco Employee
In response to gurbinder.kabbay

‎02-25-2020 02:38 PM

When using Concurrent Auth, you will always see a MAB session followed by a dot1x session when the switch sees an EAPOL from the client. With the correct C3PL policy, the dot1x session will override the initial MAB session for the same MAC address.

If you are not using the C3PL configuration recommended in the Prescriptive Guide, I would suggest having a look at this example that uses Concurrent Auth.

Configure IBNS 2.0 for Single-Host and Multi-Domain Scenarios 

 

One thing that stands out is that your first 'class' command should be:

10 class always do-until-failure

 

There are many variables here, so I'm not sure if that is causing your specific issue but it should definitely changed.

If you're using the same C3PL policy as the example above and still having issue, you will likely need to start looking at what's happening on the client side via logs and packet captures.

0 Helpful

gurbinder.kabbay
Level 1
Level 1
In response to Greg Gibbs

‎02-26-2020 04:18 AM

Thanks very much Greg, 

its working now after giving the command "dot1x pae authenticator" under interface (to which end point is connected). I am able to assign the IPs to AD users according to their groups like IT group will get vlan 10 IP and Sales will get 20.

the only doubt I have that: in ISE (live logs) the IP information is not coming against end points.

 

Regards,

Garry

 

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to gurbinder.kabbay

‎02-26-2020 06:59 AM

Hi,

 

   Do you have RADIUS accounting and device tracking configured?

 

Regards,

Cristian Matei.

0 Helpful

gurbinder.kabbay
Level 1
Level 1
In response to Cristian Matei

‎02-26-2020 10:24 AM

Hi Cristian,

 

where and how i should enable (RADIUS accounting and device tracking) it? could you please guide me.

 

Regards,

Garry

0 Helpful
Customers Also Viewed These Support Documents