Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4214
Views
0
Helpful
0
Replies

Authentication - 15039 Rejected per authorization profile

walwar
Level 1
Level 1

‎12-21-2017 02:30 AM - edited ‎02-21-2020 10:42 AM

Hi guys,

 

I am getting this error message in my lab. Long story short, my ISE is connected to AD and LDAP. AD connection for computers users and LDAP is to be able to change MAC format for MAB authentication.

 

I have the following authorization policy created (see attached). And I have changed authentication policy Wired_MAB and Wireless_MAB to the use appropriate LDAP group and options are Continue, Continue, Drop. Now when I change default authoriztion policy to DenyAccess my printer doesn't work and it hits the default policy eventhough I have changed it to go via authorization rule 2n as you can see. When I change default policy to AllowAccess it works.

 

I have grew 50 new grey hair troubleshooting this, any help would be greatly appreciated.

 

This is the user I have in my AD for my printer to authenticate. Username: 00:00:92:42:8B:1E - Pass: 00:00:92:42:8B:1E

 

PS. My ISE version and using it on my VMware server.

Cisco Application Deployment Engine OS Release: 3.0
ADE-OS Build Version: 3.0.3.030
ADE-OS System Architecture: x86_64

Copyright (c) 2005-2014 by Cisco Systems, Inc.
All rights reserved.
Hostname: SOMETHING


Version information of installed applications
---------------------------------------------

Cisco Identity Services Engine
---------------------------------------------
Version      : 2.3.0.298
Build Date   : Tue Jul 25 19:02:37 2017
Install Date : Fri Nov 24 11:19:18 2017

 

PS1: I am using the following policy-map

 

DOT1X_POLICY
  event session-started match-all
    10 class always do-until-failure
      10 authenticate using dot1x priority 10
  event authentication-failure match-first
    10 class always do-until-failure
      10 terminate dot1x
      20 authentication-restart 60
  event agent-found match-all
    10 class always do-until-failure
      10 authenticate using dot1x priority 10
  event authentication-success match-all
    10 class always do-until-failure
      10 activate service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE

MAB_POLICY
  event session-started match-all
    10 class always do-until-failure
      10 authenticate using mab priority 10
  event authentication-failure match-first
    10 class always do-until-failure
      10 terminate mab
      20 authentication-restart 60
  event authentication-success match-all
    10 class always do-until-failure
      10 activate service-template DEFAULT_LINKSEC_POLICY_MUST_SECURE

3 people had this problem
Labels:
Preview file
74 KB
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents