Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
935
Views
10
Helpful
5
Replies

Auth Failed, authorization -DenyAccess for a device. How can i quickly add these devices into the relevant identity group so that it can be authorized?

Go to solution
getaway51
Level 2
Level 2

‎10-22-2019 07:28 AM

Hi,

 

I view in ISE log and saw Auth Failed, authorization -DenyAccess for a device. How can i quickly add these devices into the relevant identity group so that it can be authorized?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni
In response to getaway51

‎10-22-2019 10:14 AM

Then go to Administration->Identity Management->Identities->Groups and find the group that you have the authorization rule for.  In there, click "Add" and then add the MAC addresses to the group.  That's it.

You can also do it through Context Visibility.  Filter for the MAC address, click on it, select "Edit" and select the group you want it to be in and check the "Static" box.

View solution in original post

5 Replies 5

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni

‎10-22-2019 08:09 AM

There is not enough detail in your question to give you a specific answer.  Can you post a screenshot of the failure details?  Is the device attempting 802.1x or MAB?  What kind of device?  Is it failing authentication?  Or is it passing authentication and just matching on an authorization rule with Deny Access as the result?

0 Helpful

Go to solution
getaway51
Level 2
Level 2
In response to Colby LeMaire

‎10-22-2019 08:46 AM

Hi, 

 

The device is an avaya device. It passed authentication due to monitor mode now. However it failed MAB authorization due to Identity groups not in Authorization policy. It went to Cisco ISE default Identity group - profiled-Avaya device. It DenyAccess due to IG nt in Authorization policy. So now i need to add the MAC into relevant IG.

 

 

0 Helpful

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni
In response to getaway51

‎10-22-2019 09:21 AM

No, you just need to create a rule in your authorization policy that is for Avaya IP Phones, set the condition to look for the Avaya profile, and then assign whatever permissions you want.  I am assuming that the device is being profiled properly.

Go to solution
getaway51
Level 2
Level 2
In response to Colby LeMaire

‎10-22-2019 10:06 AM

Hi
There is already authorization rule for the identity grp. I just to add
those failed devices mac into the grp.
Those devices mac i gt frm live logs
0 Helpful

Go to solution
Colby LeMaire
VIP Alumni
VIP Alumni
In response to getaway51

‎10-22-2019 10:14 AM

Then go to Administration->Identity Management->Identities->Groups and find the group that you have the authorization rule for.  In there, click "Add" and then add the MAC addresses to the group.  That's it.

You can also do it through Context Visibility.  Filter for the MAC address, click on it, select "Edit" and select the group you want it to be in and check the "Static" box.

Customers Also Viewed These Support Documents