03-31-2021 06:37 AM - edited 04-01-2021 05:02 AM
Hello,
I'm new to ISE(2.4) and the location I just recently joined has a lot of users in different sections that can't access the internet with each one showing the 15039 failure error. I found the troubleshooting guide and have looked at other questions but I don't understand how to work my way to a fix action.
Also in ISE some users still have a IP address which is now unreachable but every user affected can't pull an DHCP address and I verified the scope was not full.
Here's an example of a working user's port
sh authentication sessions int gi 1/0/1
Interface MAC Address Method Domain Status Fg Session ID
----------------------------------------------------------------------
Gi1/0/1 09e3 dot1x DATA Auth 832E013A0000005110F95D9A
Gi1/0/1 6fa0 mab VOICE Auth 832E013A0000001200021FFB
Runnable methods list:
Handle Priority Name
9 5 dot1x
20 10 mab
18 15 webauth
Any help would be greatly appreciated.
Solved! Go to Solution.
04-09-2021 07:46 AM
I'm not sure what helped the issue but endpoints are now pulling ip address although there are still a handful with the same issue so this may of not been an ISE issue.
03-31-2021 07:36 PM
first of all, please double check if the Failure Reason is 15039 and not 15309.
At Administration > System > Logging > Message Catalog > filter the Message Code with your Failure Reason.
The Message Text and Message Description has a brief of the failure.
For example: the 15039 is a Rejected per Authorization Profile, in other words, you should double check your Policy at Policy > Policy Sets and double check your Authorization Policy configuration.
Hope this helps !!!
04-06-2021 12:20 PM - edited 04-06-2021 01:19 PM
Thanks again for assisting Marcelo,
I noticed at this site everything runs through the default policy and then multiple Authorization policies. As I cram Documents and videos I noticed no one else does this, so could this be an issue or simply not best practice?
04-06-2021 07:50 PM
Generally, fine to keep things simple in the default policy when you start.
At some point you may want to split out authorizations into different policy sets for both administrative simplicity and performance. This could be done by Device Type (wired / wireless / VPN) or Location (regions or countries) or other conditions you choose. It depends on what you want to do...
04-01-2021 06:39 AM - edited 04-01-2021 06:40 AM
15039 | RADIUS | Rejected per authorization profile | Selected Authorization Profile contains ACCESS_REJECT attribute |
Exactly as Marcelo said... what is your policy such that people or things are suddenly failing your policy? Looks like ISE is doing it's job.
You can find this list of errors in the Log Messages Reference and in ISE @ Administration > System > Logging > Message Catalog
04-04-2021 08:16 PM
I see we are just using the default policy set and looking at the attributes I still can't tell why some users are getting rejected but I will check the logs first thing.
04-09-2021 07:46 AM
I'm not sure what helped the issue but endpoints are now pulling ip address although there are still a handful with the same issue so this may of not been an ISE issue.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide