05-03-2017 10:35 PM
Hi
I am unable to figure out how to enrich the Access-Reject reply with additional Radius attributes in a particular use case - I am looking up the Guest User identity store and if the user is disabled then I want to return a custom Reply-Message to the client as a reason for rejecting the request. The response to the client should look as follows:
Access Type = ACCESS_REJECT
Reply-Message = User-Not-Found
But I am unable to specify a customised Deny Result that includes the Reply-Message. Is this possible for Authentication Policies?
Here are the ISE 2.2 Steps
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11117 Generated a new session ID
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP - Normalised Radius.RadiusFlowType (2 times)
15048 Queried PIP - DEVICE.Device Type
15004 Matched rule - WebProxy
15041 Evaluating Identity Policy
15006 Matched Default Rule
22072 Selected identity source sequence - Guest_Portal_Sequence
15013 Selected Identity Source - Internal Users
24210 Looking up User in Internal Users IDStore - user1
24216 The user is not found in the internal users identity store
15013 Selected Identity Source - Guest Users
24631 Looking up User in Internal Guests IDStore
24206 User disabled
22057 The advanced option that is configured for a failed authentication request is used
22061 The 'Reject' advanced option is configured in case of a failed authentication request
11003 Returned RADIUS Access-Reject
Solved! Go to Solution.
05-06-2017 03:46 PM
RFC 2865 RADIUS Section 4.3 Access-Reject says,
...
If any value of the received Attributes is not acceptable, then
the RADIUS server MUST transmit a packet with the Code field set
to 3 (Access-Reject). It MAY include one or more Reply-Message
Attributes with a text message which the NAS MAY display to the
user.
...
Because "MAY" but not "MUST", ISE is currently not sending Reply-Message attribute in the responses.
If you have a very good use case, then I hope you may bring it up with our product management teams, either directly (if Cisco internal) or indirectly (if partners or customers).
05-03-2017 11:24 PM
No, not possible with authentication policies. You will need to let it continue to the Authorization and send a customized AuthZ profile that contains Reject & Reply-Message. The problem is though, currently in ISE the 'User Disabled' attribute is not an exposed AuthZ condition, which may make your AuthZ policy bit more complex.
05-04-2017 04:05 PM
Hi howon
Thanks for the excellent suggestion. I was a long time Cisco Prime Access Registrar user and almost anything was possible - even if it meant writing some tcl code :-)
I tried your suggestion and it works. Well .. partially.
On the surface, ISE seems to be processing the request correctly, and even tells me it's applying the AuthZ Profile - but my Access-Reject does not contain the additional attribute I wanted.
I created an Authorization Profile called "WebProxyRejectUNF" that contains the additional Reply-Message:
Access Type = ACCESS_REJECT
Reply-Message = User-Not-Found
And when I get such a failed Auth, the steps now look correct
Steps
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
11117 Generated a new session ID
15049 Evaluating Policy Group
15008 Evaluating Service Selection Policy
15048 Queried PIP - Normalised Radius.RadiusFlowType (2 times)
15048 Queried PIP - DEVICE.Device Type
15004 Matched rule - WebProxy
15041 Evaluating Identity Policy
15006 Matched Default Rule
22072 Selected identity source sequence - Guest_Portal_Sequence
15013 Selected Identity Source - Internal Users
24210 Looking up User in Internal Users IDStore - user1
24216 The user is not found in the internal users identity store
15013 Selected Identity Source - Guest Users
24631 Looking up User in Internal Guests IDStore
24206 User disabled
22057 The advanced option that is configured for a failed authentication request is used
22060 The 'Continue' advanced option is configured in case of a failed authentication request
24423 ISE has not been able to confirm previous successful machine authentication
15036 Evaluating Authorization Policy
15048 Queried PIP - DEVICE.Device Type
15048 Queried PIP - Network Access.AuthenticationStatus
15004 Matched rule - Web Proxy Failed
15016 Selected Authorization Profile - WebProxyRejectUNF
15039 Rejected per authorization profile
11003 Returned RADIUS Access-Reject
But I only receive the Access-Reject and no further attribute, despite Step 15016 above. Did I miss something?
I haven't quite understood what ISE is telling me below - I feel it's a hint but I can't make sense of it yet.
Authentication Details
Source Timestamp 2017-05-05 08:53:10.064
Received Timestamp 2017-05-05 08:53:10.059
Policy Server ise02
Event 5400 Authentication failed
Failure Reason 15039 Rejected per authorization profile
Resolution Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.
Root cause Selected Authorization Profile contains ACCESS_REJECT attribute
05-05-2017 07:49 AM
I suspected that may be the case. So it seems when ACCESS-REJECT is sent, ISE doesn't send other attributes with the response. Just curious though, what is the application for this? In the end, the NAD will simply deny the user so what is the use for such attribute returned? I can think of logging reasons, but you already have the logging information available centrally on the ISE so not sure if that is what you are after.
11-18-2018 11:44 PM
hello, i tried to apply vlan attribute in the Access-Reject , but there is no attribute applied , is it available to apply VLAN in Access-Reject for ISE ?
05-06-2017 03:46 PM
RFC 2865 RADIUS Section 4.3 Access-Reject says,
...
If any value of the received Attributes is not acceptable, then
the RADIUS server MUST transmit a packet with the Code field set
to 3 (Access-Reject). It MAY include one or more Reply-Message
Attributes with a text message which the NAS MAY display to the
user.
...
Because "MAY" but not "MUST", ISE is currently not sending Reply-Message attribute in the responses.
If you have a very good use case, then I hope you may bring it up with our product management teams, either directly (if Cisco internal) or indirectly (if partners or customers).
05-06-2017 04:49 PM
Hi
I was also about to quote the RFC but you beat me to it. I guess my gut feeling on this is that if ISE doesn't support this then the GUI should prevent the user from selecting a custom Authorization Profile. That would send a clear message to the user.
How hard could it be to support such a feature? I don't see it being a detrimental enhancement to ISE.
I am working on a customer requirement where they are planning to use ISE to check the use credentials during a web proxy authentication (guest users are prompted to enter proxy credentials that are then checked against the active Guest users in ISE). It's not clear at this stage (but it may become a request in future), but it would be useful to be able to indicate back to the Bluecoat Proxy server WHY a user was rejected. The Bluecoat doesn't need to interrogate ISE logs to find this out if it could simply parse the Reply-Message. This is how we used to do it on Cisco Prime Access Registrar in the SP world and it worked really well. If you have intelligent clients that can interpret those status codes then you can create a better user experience, as well as prevent pointless retries because the user/client doesn't know what he is doing wrong.
05-11-2017 01:02 PM
Our PM has a user story on it but it has not been scheduled or committed so can't tell when we may have it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide