Solved: Device Type - Failure Reason: 22017 Selected Identity Source is DenyAccess

bhinder119 · ‎04-02-2020

Hi Guys,

I'm having issues authenticating (TACACS+ w/AD) to my routers when I set the device type to "routers". When I try logging in, my prompt gives me access denied. ISE gives the below error: When I set device type to "All Device Types", I'm able to authenticate with no issue. Am I able to edit the authentication policies for my "router" device type? I attached a screenshot of the error.

Thanks!

Failure Reason	22017 Selected Identity Source is DenyAccess
Resolution	Select a different Identity Source

Mike.Cifelli · ‎04-02-2020

I cant see how your T+ device admin policies are configured, but I would take a look there (located under Work Centers->Device Administration->Device Admin Policy Sets). There are definitely conditions that you can utilize to meet your requirement of how you wish to break the NAD types and/or locations down to push policy that way. It sounds like you are not matching the currently configured policy. See here for more info: https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/Workflow/b_device_administration_2_4.html

View solution in original post

Mike.Cifelli · ‎04-02-2020

I cant see how your T+ device admin policies are configured, but I would take a look there (located under Work Centers->Device Administration->Device Admin Policy Sets). There are definitely conditions that you can utilize to meet your requirement of how you wish to break the NAD types and/or locations down to push policy that way. It sounds like you are not matching the currently configured policy. See here for more info: https://www.cisco.com/c/en/us/td/docs/security/ise/2-4/admin_guide/Workflow/b_device_administration_2_4.html

bhinder119 · ‎04-03-2020

That was it! I needed to create a new policy/condition for my "routers" device type group.

Thanks for your help!!