Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3113
Views
30
Helpful
6
Replies

authentication failed, Error 15039 rejected per authorization profile

Amen
Level 1
Level 1

‎04-11-2022 05:59 AM

On ISE version 3.0.0.458 - Patch 2, I have 15 clients facing this issue :

 

 

The Port config :-

authentication periodic

authentication timer reauthenticate server

access-session control-direction in

access-session port-control auto

mab

dot1x pae authenticator

dot1x timeout tx-period 5

 

 

policy-map type control subscriber DOT1X-DEFAULT

event session-started match-all

  10 class always do-until-failure

   10 authenticate using mab priority 20

   20 authenticate using dot1x priority 10

event violation match-all

  10 class always do-all

   10 restrict

event authentication-failure match-first

  10 class AAA-DOWN do-all

   10 authorize

   20 activate service-template CRITICAL

   30 terminate dot1x

   40 terminate mab

  20 class DOT1X-FAILED do-all

   10 terminate dot1x

   20 authenticate using mab

  22 class DOT1X_TIMEOUT do-all

   10 terminate dot1x

   20 authenticate using mab

  24 class DOT1X_NO-RESP do-all

   10 terminate dot1x

   20 authenticate using mab

  30 class MAB-FAILED do-all

   10 activate service-template QUARANTINE

   20 authorize

   30 terminate dot1x

   40 terminate mab

event agent-found match-all

  10 class always do-all

   10 terminate mab

   20 authenticate using dot1x

service-policy type control subscriber DOT1X-DEFAULT

 

 

another profile

 

policy-map type control subscriber DOT1X-RETRY

event session-started match-all

  10 class always do-until-failure

   10 authenticate using mab priority 20

   20 authenticate using dot1x priority 10

event violation match-all

  10 class always do-all

   10 restrict

event authentication-failure match-first

  10 class AAA-DOWN do-all

   10 authorize

   20 activate service-template CRITICAL

   30 terminate dot1x

   40 terminate mab

  20 class DOT1X-FAILED do-all

   10 terminate dot1x

   20 authenticate using mab

  22 class DOT1X_TIMEOUT do-all

   10 terminate dot1x

   20 authenticate using mab

  24 class DOT1X_NO-RESP do-all

   10 terminate dot1x

   20 authenticate using mab

  30 class MAB-FAILED do-all

   10 authenticate using dot1x retries 2 retry-time 0 priority 10

   20 set-timer WAIT 10

   30 activate service-template QUARANTINE

   40 authorize

   50 terminate dot1x

   60 terminate mab

event agent-found match-all

  10 class always do-all

   10 terminate mab

   20 authenticate using dot1x retries 2 retry-time 0 priority 10

 

 

Can anyone advise if I am facing a bug or something that I can try to do to avoid this problem,?

Preview file
58 KB
0 Helpful
6 Replies 6

Mike.Cifelli
VIP Alumni
VIP Alumni

‎04-11-2022 06:10 AM - edited ‎04-11-2022 06:13 AM

Can anyone advise if I am facing a bug or something that I can try to do to avoid this problem,?

-These clients seem to be hitting the default authz policy for onboarding.  I would look into why these clients are not matching on the authz condition that you intend on them matching for your desired authz profile result by verifying your policy buildout/structure.  Are all clients having this issue or just the 15 mentioned? 

Amen
Level 1
Level 1
In response to Mike.Cifelli

‎04-11-2022 06:32 AM - edited ‎04-11-2022 06:37 AM

only 15 client from more than a 100 are facing this issue.

and it was working fine before.

 

The problem occurs sporadically.
After deactivating 802.1x on this network port, the problem disappears, then it can be activated again, then it works for a certain time.

0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni

‎04-11-2022 06:37 AM

I would recommend doing the following:

-Take a known good and known bad client, and then do a step by step comparison of the onboarding workflow for each.  This should narrow down the issue.  I am assuming that the issue is in your ISE authz policies with the 15 clients not matching on the desired policy.

Amen
Level 1
Level 1
In response to Mike.Cifelli

‎04-11-2022 06:43 AM

the policies/configurations are the same for all 700-750 clients.

0 Helpful

MHM Cisco World
VIP
VIP

‎04-11-2022 02:11 PM

You are hitting an Authorization Police - Rule Name: Default, that has a Results Profiles - DenyAccess.

in Policy > Policy Set > select the Policy Sets, double check the Authorization Policy configuration.

Greg Gibbs
Cisco Employee
Cisco Employee

‎04-11-2022 03:45 PM

It's tough to say without more detail on how your policies are configured, but you might be running into an issue with how Concurrent Auth works (which, technically, ISE does not understand).

At reauth, the switch may be trying MAB first. If you have a default AuthZ Policy that sends an ACCESS_REJECT, it will cause a race condition (since MAB happens faster than dot1x) where the supplicant fails auth and stops trying for a retry period. A best practice when using Concurrent Auth is to have a default AuthZ Policy that sends an ACCESS_ACCEPT with a restrictive DACL. That will keep the supplicant happy until dot1x completes and successfully reauths.

Using Sequential Auth as per the configuration in the Secure Wired Access Prescriptive Deployment Guide will resolve this issue.

You can also try using the 'termination-action-modifier=1' attribute to mitigate the reauth issue as described in this post:

CPL Template MAB/Dot1x Simultaneously

Customers Also Viewed These Support Documents