AuthIZ profiles

Saeed Abd Elhalim Hamada · ‎04-07-2025

dear all i have problem with Authiz policy what i say the user must authica first and be in any groups of the list and need to be android

if i remove the last condation that contant andorid the Authiz work

Overview

Event	5400 Authentication failed
Username	test
Endpoint Id	48:9B:E0:E8:B3:AB
Endpoint Profile	Android
Authentication Policy	Wireless-802.1x-NIB-WIFI SSID >> Wireless-802.1X
Authorization Policy	Wireless-802.1x-NIB-WIFI SSID >> Default
Authorization Result	DenyAccess

Authentication Details

Source Timestamp	2025-04-07 10:09:42.769
Received Timestamp	2025-04-07 10:09:42.769
Policy Server	ISE-01
Event	5400 Authentication failed
Failure Reason	15039 Rejected per authorization profile
Resolution	Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.
Root cause	Selected Authorization Profile contains ACCESS_REJECT attribute
Username	test
Endpoint Id	48:9B:E0:E8:B3:AB
Calling Station Id	48-9b-e0-e8-b3-ab
Endpoint Profile	Android
Authentication Identity Store	NibHQ-AD
Identity Group	allow-list-testing
Audit Session Id	1510640A00021E800F4C53B6
Authentication Method	dot1x
Authentication Protocol	PEAP (EAP-MSCHAPv2)
Service Type	Framed
Network Device	WLC-01
Device Type	All Device Types
Location	All Locations
NAS IPv4 Address	10.100.16.21
NAS Port Id	capwap_900000b8
NAS Port Type	Wireless - IEEE 802.11
Authorization Profile	DenyAccess
Response Time	33 milliseconds

Other Attributes

ConfigVersionId	173
Device Port	63398
DestinationPort	1812
RadiusPacketType	AccessRequest
Protocol	Radius
NAS-Port	21617
Framed-MTU	1485
State	37CPMSessionID=1510640A00021E800F4C53B6;34SessionID=ISE-01/531755997/1489426;
undefined-186	00:0f:ac:04
undefined-187	00:0f:ac:04
undefined-188	00:0f:ac:01
NetworkDeviceProfileId	b0699505-3150-4215-a80e-6753d45bf56c
IsThirdPartyDeviceFlow	false
AcsSessionID	ISE-01/531755997/1489426
DetailedInfo	Authentication succeed
SelectedAuthenticationIdentityStores	NibHQ-AD
IdentityPolicyMatchedRule	Wireless-802.1X
AuthorizationPolicyMatchedRule	Default
EndPointMACAddress	48-9B-E0-E8-B3-AB
ISEPolicySetName	Wireless-802.1x-NIB-WIFI SSID
IdentitySelectionMatchedRule	Wireless-802.1X
AD-User-Resolved-Identities	test@nibhq.local
AD-User-Candidate-Identities	test@nibhq.local
TotalAuthenLatency	99
ClientLatency	66
AD-User-Resolved-DNs	CN=TEST,OU=Users,OU=57_Central Affairs Sector,OU=NIB-Sectors,DC=nibhq,DC=local
AD-User-DNS-Domain	nibhq.local
AD-Groups-Names	nibhq.local/Builtin/Users
AD-Groups-Names	nibhq.local/NIB-Sectors/57_Central Affairs Sector/57_Central Affairs Sector
AD-Groups-Names	nibhq.local/Users/Domain Users
AD-User-NetBios-Name	NIBHQ
IsMachineIdentity	false
UserAccountControl	66048
AD-User-SamAccount-Name	test
AD-User-Qualified-Name	test@nibhq.local
TLSCipher	ECDHE-RSA-AES256-GCM-SHA384
TLSVersion	TLSv1.2
DTLSSupport	Unknown
HostIdentityGroup	Endpoint Identity Groups:allow-list-testing
Network Device Profile	Cisco
Location	Location#All Locations
Device Type	Device Type#All Device Types
IPSEC	IPSEC#Is IPSEC Device#No
ExternalGroups	nibhq.local/S-1-5-32-545
ExternalGroups	S-1-5-21-4129499605-3250610629-1857627236-18513
ExternalGroups	S-1-5-21-4129499605-3250610629-1857627236-513
IdentityAccessRestricted	false
RADIUS Username	test
NAS-Identifier	WLC-01
Device IP Address	10.100.16.21
CPMSessionID	1510640A00021E800F4C53B6
Called-Station-ID	cc-7f-75-58-37-40:NIB_WIFI
CiscoAVPair	service-type=Framed,audit-session-id=1510640A00021E800F4C53B6,method=dot1x,client-iif-id=1711278343,vlan-id=1,cisco-wlan-ssid=NIB_WIFI,wlan-profile-name=NIB_WIFI_Global_F_a7fb7e41,AuthenticationIdentityStore=NibHQ-AD,FQSubjectName=e0d4af20-de9d-11ed-ab69-7e7af6e903ec#test@nibhq.local,UniqueSubjectID=4fced747fcb06203d7961e0773857192d1963517

Result

RadiusPacketType

AccessReject

Session Events

2025-04-07 10:09:42.769

Authentication failed

Steps

Step ID	Description	Latency (ms)
11001	Received RADIUS Access-Request - NibHQ-AD
11017	RADIUS created a new session - nibhq.local	0
15049	Evaluating Policy Group - NibHQ-AD	1
15008	Evaluating Service Selection Policy	0
15048	Queried PIP - DEVICE.Device Type	0
15048	Queried PIP - Radius.NAS-Port-Id	1
15048	Queried PIP - DEVICE.Network Device Profile	0
15048	Queried PIP - Normalised Radius.RadiusFlowType	0
15048	Queried PIP - Radius.Called-Station-ID	0
11507	Extracted EAP-Response/Identity	1
12500	Prepared EAP-Request proposing EAP-TLS with challenge	0
12625	Valid EAP-Key-Name attribute received	0
11006	Returned RADIUS Access-Challenge	0
11001	Received RADIUS Access-Request	5
11018	RADIUS is re-using an existing session	0
12301	Extracted EAP-Response/NAK requesting to use PEAP instead	0
12300	Prepared EAP-Request proposing PEAP with challenge	0
12625	Valid EAP-Key-Name attribute received	0
11006	Returned RADIUS Access-Challenge	0
11001	Received RADIUS Access-Request	4
11018	RADIUS is re-using an existing session	0
12302	Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated	0
61025	Open secure connection with TLS peer	1
12319	Successfully negotiated PEAP version 1	0
12800	Extracted first TLS record; TLS handshake started	0
12805	Extracted TLS ClientHello message	0
12806	Prepared TLS ServerHello message	0
12807	Prepared TLS Certificate message	0
12808	Prepared TLS ServerKeyExchange message	8
12810	Prepared TLS ServerDone message	0
12305	Prepared EAP-Request with another PEAP challenge	0
11006	Returned RADIUS Access-Challenge	0
11001	Received RADIUS Access-Request	7
11018	RADIUS is re-using an existing session	0
12304	Extracted EAP-Response containing PEAP challenge-response	0
12305	Prepared EAP-Request with another PEAP challenge	0
11006	Returned RADIUS Access-Challenge	0
11001	Received RADIUS Access-Request	6
11018	RADIUS is re-using an existing session	0
12304	Extracted EAP-Response containing PEAP challenge-response	0
12305	Prepared EAP-Request with another PEAP challenge	0
11006	Returned RADIUS Access-Challenge	0
11001	Received RADIUS Access-Request	25
11018	RADIUS is re-using an existing session	0
12304	Extracted EAP-Response containing PEAP challenge-response	0
12319	Successfully negotiated PEAP version 1	0
12810	Prepared TLS ServerDone message	0
12812	Extracted TLS ClientKeyExchange message	2
12803	Extracted TLS ChangeCipherSpec message	0
12804	Extracted TLS Finished message	0
12801	Prepared TLS ChangeCipherSpec message	0
12802	Prepared TLS Finished message	0
12816	TLS handshake succeeded	0
12310	PEAP full handshake finished successfully	0
12305	Prepared EAP-Request with another PEAP challenge	1
11006	Returned RADIUS Access-Challenge	0
11001	Received RADIUS Access-Request	4
11018	RADIUS is re-using an existing session	0
12304	Extracted EAP-Response containing PEAP challenge-response	0
12313	PEAP inner method started	0
11521	Prepared EAP-Request/Identity for inner EAP method	0
12305	Prepared EAP-Request with another PEAP challenge	0
11006	Returned RADIUS Access-Challenge	0
11001	Received RADIUS Access-Request	6
11018	RADIUS is re-using an existing session	0
12304	Extracted EAP-Response containing PEAP challenge-response	0
11522	Extracted EAP-Response/Identity for inner EAP method	0
11806	Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge	0
12305	Prepared EAP-Request with another PEAP challenge	0
11006	Returned RADIUS Access-Challenge	0
11001	Received RADIUS Access-Request	6
11018	RADIUS is re-using an existing session	0
12304	Extracted EAP-Response containing PEAP challenge-response	0
11808	Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated	0
15041	Evaluating Identity Policy	1
15013	Selected Identity Source - NibHQ-AD	1
24430	Authenticating user against Active Directory - NibHQ-AD	0
24325	Resolving identity - test	2
24313	Search for matching accounts at join point - nibhq.local	0
24319	Single matching account found in forest - nibhq.local	0
24323	Identity resolution detected single matching account	0
24343	RPC Logon request succeeded - test@nibhq.local	2
24402	User authentication against Active Directory succeeded - NibHQ-AD	0
22037	Authentication Passed	0
11824	EAP-MSCHAP authentication attempt passed	0
12305	Prepared EAP-Request with another PEAP challenge	0
11006	Returned RADIUS Access-Challenge	0
11001	Received RADIUS Access-Request	4
11018	RADIUS is re-using an existing session	0
12304	Extracted EAP-Response containing PEAP challenge-response	1
11810	Extracted EAP-Response for inner method containing MSCHAP challenge-response	0
11814	Inner EAP-MSCHAP authentication succeeded	0
11519	Prepared EAP-Success for inner EAP method	0
12314	PEAP inner method finished successfully	0
12305	Prepared EAP-Request with another PEAP challenge	0
11006	Returned RADIUS Access-Challenge	0
11001	Received RADIUS Access-Request	3
11018	RADIUS is re-using an existing session	0
12304	Extracted EAP-Response containing PEAP challenge-response	0
24715	ISE has not confirmed locally previous successful machine authentication for user in Active Directory	0
15036	Evaluating Authorization Policy	1
24209	Looking up Endpoint in Internal Endpoints IDStore - test	0
24211	Found Endpoint in Internal Endpoints IDStore	1
15048	Queried PIP - Network Access.AuthenticationStatus	0
24432	Looking up user in Active Directory - test
24355	LDAP fetch succeeded
24416	User's Groups retrieval from Active Directory succeeded
15048	Queried PIP - NibHQ-AD.ExternalGroups	3
15048	Queried PIP - Session.Device-OS	0
15016	Selected Authorization Profile - DenyAccess	1
15039	Rejected per authorization profile	0
12306	PEAP authentication succeeded	0
61026	Shutdown secure connection with TLS peer	0
11503	Prepared EAP-Success	0
11003	Returned RADIUS Access-Reject	1

PSM · ‎04-07-2025

This is because from the radius packet ISE is not able to identify if it the device OS is android. Either you remove this or you find another better attribute which can be used in condition.

Saeed Abd Elhalim Hamada · ‎04-07-2025

ok i use profile called android and also didnt work

PSM · ‎04-09-2025

Can you share updated policy and logs ?