Hi howon

Thanks for the excellent suggestion.  I was a long time Cisco Prime Access Registrar user and almost anything was possible - even if it meant writing some tcl code :-)

I tried your suggestion and it works.  Well .. partially.

On the surface, ISE seems to be processing the request correctly, and even tells me it's applying the AuthZ Profile - but my Access-Reject does not contain the additional attribute I wanted.

I created an Authorization Profile called "WebProxyRejectUNF" that contains the additional Reply-Message:

Access Type = ACCESS_REJECT

Reply-Message = User-Not-Found

And when I get such a failed Auth, the steps now look correct

Steps

   11001  Received RADIUS Access-Request

   11017  RADIUS created a new session

   11117  Generated a new session ID

   15049  Evaluating Policy Group

   15008  Evaluating Service Selection Policy

   15048  Queried PIP - Normalised Radius.RadiusFlowType (2 times)

   15048  Queried PIP - DEVICE.Device Type

   15004  Matched rule - WebProxy

   15041  Evaluating Identity Policy

   15006  Matched Default Rule

   22072  Selected identity source sequence - Guest_Portal_Sequence

   15013  Selected Identity Source - Internal Users

   24210  Looking up User in Internal Users IDStore - user1

   24216  The user is not found in the internal users identity store

   15013  Selected Identity Source - Guest Users

   24631  Looking up User in Internal Guests IDStore

   24206  User disabled

   22057  The advanced option that is configured for a failed authentication request is used

   22060  The 'Continue' advanced option is configured in case of a failed authentication request

   24423  ISE has not been able to confirm previous successful machine authentication

   15036  Evaluating Authorization Policy

   15048  Queried PIP - DEVICE.Device Type

   15048  Queried PIP - Network Access.AuthenticationStatus

   15004  Matched rule - Web Proxy Failed

   15016  Selected Authorization Profile - WebProxyRejectUNF

   15039  Rejected per authorization profile

   11003  Returned RADIUS Access-Reject

But I only receive the Access-Reject and no further attribute, despite Step 15016 above.  Did I miss something?

I haven't quite understood what ISE is telling me below - I feel it's a hint but I can't make sense of it yet.

Authentication Details

Source Timestamp   2017-05-05 08:53:10.064

Received Timestamp   2017-05-05 08:53:10.059

Policy Server   ise02

Event  5400 Authentication failed

Failure Reason  15039 Rejected per authorization profile

Resolution   Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.

Root cause   Selected Authorization Profile contains ACCESS_REJECT attribute

I suspected that may be the case. So it seems when ACCESS-REJECT is sent, ISE doesn't send other attributes with the response. Just curious though, what is the application for this? In the end, the NAD will simply deny the user so what is the use for such attribute returned? I can think of logging reasons, but you already have the logging information available centrally on the ISE so not sure if that is what you are after.

hello， i tried to apply vlan attribute in the Access-Reject , but there is no attribute applied ,  is it available  to apply VLAN in Access-Reject for ISE  ?

Hi

I was also about to quote the RFC but you beat me to it.  I guess my gut feeling on this is that if ISE doesn't support this then the GUI should prevent the user from selecting a custom Authorization Profile. That would send a clear message to the user.

How hard could it be to support such a feature?  I don't see it being a detrimental enhancement to ISE.

I am working on a customer requirement where they are planning to use ISE to check the use credentials during a web proxy  authentication (guest users are prompted to enter proxy credentials that are then checked against the active Guest users in ISE).  It's not clear at this stage (but it may become a request in future), but it would be useful to be able to indicate back to the Bluecoat Proxy server WHY a user was rejected.  The Bluecoat doesn't need to interrogate ISE logs to find this out if it could simply parse the Reply-Message. This is how we used to do it on Cisco Prime Access Registrar in the SP world and it worked really well.  If you have intelligent clients that can interpret those status codes then you can create a better user experience, as well as prevent pointless retries because the user/client doesn't know what he is doing wrong. 

Our PM has a user story on it but it has not been scheduled or committed so can't tell when we may have it.