Solved: Re: i have problem with 802.X

Saeed Abd Elhalim Hamada · ‎01-29-2025

i have configure closed mode and i have authiz profile for any Dynamic VLAN 50

and my authiz policy if user found in external Idi store then apply Auhiz profls that assigned the pc in vlan 50

problem is the user hit for the default policy and deny acc

Jan 29 15:06:01.998: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (7486.e23c.1af3) with reason (Timeout) on Interface Gi6/0/23 AuditSessionID 01000C0A0000E845B2602950 Username: NIBHQ\6886
Jan 29 15:06:29.998: %DOT1X-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (7486.e23c.1af3) with reason (Timeout) on Interface Gi6/0/23 AuditSessionID 01000C0A0000E845B2602950 Username: NIBHQ\6886
Jan 29 15:06:30.009: %MAB-5-FAIL: Switch 1 R0/0: sessmgrd: Authentication failed for client (7486.e23c.1af3) with reason (Cred Fail) on Interface Gi6/0/23 AuditSessionID 01000C0A0000E845B2602950
Jan 29 15:06:30.011: %SESSION_MGR-5-FAIL: Switch 1 R0/0: sessmgrd: Authorization failed or unapplied for client (7486.e23c.1af3) on Interface GigabitEthernet6/0/23 AuditSessionID 01000C0A0000E845B2602950. Failure reason: Authc fail. Auth

Authentication Details

Source Timestamp	2025-01-29 15:04:51.351
Received Timestamp	2025-01-29 15:04:51.351
Policy Server	ISE-01
Event	5400 Authentication failed
Failure Reason	15039 Rejected per authorization profile
Resolution	Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.
Root cause	Selected Authorization Profile contains ACCESS_REJECT attribute
Username	NIBHQ\6886
Endpoint Id	74:86:E2:3C:1A:F3
Calling Station Id	74-86-E2-3C-1A-F3
Endpoint Profile	Dell-Device
Authentication Identity Store	NibHQ-AD
Identity Group	Profiled
Audit Session Id	01000C0A0000E835B254D347
Authentication Method	dot1x
Authentication Protocol	PEAP (EAP-MSCHAPv2)
Service Type	Framed
Network Device	Edge-F3-01-R.Nibhq.local
Device Type	All Device Types#NAS Address
NAS IPv4 Address	10.100.3.1
NAS Port Id	GigabitEthernet6/0/23
NAS Port Type	Ethernet
Authorization Profile	DenyAccess
Posture Status	Pending
Response Time	35 milliseconds

Other Attributes

ConfigVersionId	309
Device Port	64536
DestinationPort	1812
RadiusPacketType	AccessRequest
Protocol	Radius
NAS-Port	50623
Framed-MTU	1468
State	37CPMSessionID=01000C0A0000E835B254D347;33SessionID=ISE-01/526818642/483011;
NetworkDeviceProfileId	b0699505-3150-4215-a80e-6753d45bf56c
IsThirdPartyDeviceFlow	false
AcsSessionID	ISE-01/526818642/483011
DetailedInfo	Authentication succeed
SelectedAuthenticationIdentityStores	NibHQ-AD
IdentityPolicyMatchedRule	Wired 802.1x
AuthorizationPolicyMatchedRule	Default
EndPointMACAddress	74-86-E2-3C-1A-F3
ISEPolicySetName	Wired-802.1x-POST_copy
IdentitySelectionMatchedRule	Wired 802.1x
AD-User-Resolved-Identities	6886@nibhq.local
AD-User-Candidate-Identities	6886@nibhq.local
TotalAuthenLatency	62
ClientLatency	27
AD-User-Resolved-DNs	CN=Saeed AbdelHalim,OU=Users,OU=50_General Department of Operations and Networks,OU=NIB-Sectors,DC=nibhq,DC=local
AD-User-DNS-Domain	nibhq.local
AD-Groups-Names	nibhq.local/Builtin/Administrators
AD-Groups-Names	nibhq.local/Builtin/Remote Desktop Users
AD-Groups-Names	nibhq.local/Builtin/Users
AD-Groups-Names	nibhq.local/Users/Denied RODC Password Replication Group
AD-Groups-Names	nibhq.local/Users/DHCP Administrators
AD-Groups-Names	nibhq.local/Users/Domain Users
AD-Groups-Names	nibhq.local/Users/REMOTE_ACCESS_APPLICATIONS
AD-Groups-Names	nibhq.local/NIB-OUs/NIB-Sectors/guest/GUEST_GROUPE
AD-Groups-Names	nibhq.local/NIB-OUs/NIB-Sectors/الإدارة المركزية لتكنولوجيا المعلومات_50/الإدارة المركزية لتكنولوجيا المعلومات
AD-Groups-Names	nibhq.local/NIB Appliances Groups Authentication/ISE Admins
AD-Groups-Names	nibhq.local/NIB-OUs/fs-it-share
AD-Groups-Names	nibhq.local/Users/Domain Admins
AD-User-NetBios-Name	NIBHQ
IsMachineIdentity	false
UserAccountControl	512
AD-User-SamAccount-Name	6886
AD-User-Qualified-Name	6886@nib.gov.eg
TLSCipher	ECDHE-RSA-AES256-GCM-SHA384
TLSVersion	TLSv1.2
DTLSSupport	Unknown
HostIdentityGroup	Endpoint Identity Groups:Profiled
Network Device Profile	Cisco
Location	Location#All Locations
Device Type	Device Type#All Device Types#NAS Address
IPSEC	IPSEC#Is IPSEC Device#No
ExternalGroups	nibhq.local/S-1-5-32-544
ExternalGroups	nibhq.local/S-1-5-32-555
ExternalGroups	nibhq.local/S-1-5-32-545
ExternalGroups	S-1-5-21-4129499605-3250610629-1857627236-572
ExternalGroups	S-1-5-21-4129499605-3250610629-1857627236-1114
ExternalGroups	S-1-5-21-4129499605-3250610629-1857627236-513
ExternalGroups	S-1-5-21-4129499605-3250610629-1857627236-11959
ExternalGroups	S-1-5-21-4129499605-3250610629-1857627236-18860
ExternalGroups	S-1-5-21-4129499605-3250610629-1857627236-18505
ExternalGroups	S-1-5-21-4129499605-3250610629-1857627236-18503
ExternalGroups	S-1-5-21-4129499605-3250610629-1857627236-14934
ExternalGroups	S-1-5-21-4129499605-3250610629-1857627236-512
IdentityAccessRestricted	false
RADIUS Username	NIBHQ\6886
Device IP Address	10.100.3.1
CPMSessionID	01000C0A0000E835B254D347
Called-Station-ID	7C:AD:4F:28:FD:97
CiscoAVPair	cts-pac-opaque=****,service-type=Framed,audit-session-id=01000C0A0000E835B254D347,method=dot1x,client-iif-id=355275030,AuthenticationIdentityStore=NibHQ-AD,FQSubjectName=e0d4af20-de9d-11ed-ab69-7e7af6e903ec#6886@nibhq.local,UniqueSubjectID=98fc117dd5036c1a54791943b1971568ea822d48

Result

RadiusPacketType

AccessReject

Steps

Step ID	Description	Latency (ms)
11001	Received RADIUS Access-Request - NibHQ-AD
11017	RADIUS created a new session - nibhq.local	0
15049	Evaluating Policy Group - NibHQ-AD	0
15008	Evaluating Service Selection Policy	1
15048	Queried PIP - DEVICE.Device Type	0
15048	Queried PIP - Radius.NAS-Port-Id	0
15048	Queried PIP - DEVICE.Network Device Profile	0
15048	Queried PIP - Normalised Radius.RadiusFlowType	1
11507	Extracted EAP-Response/Identity	0
12500	Prepared EAP-Request proposing EAP-TLS with challenge	0
12625	Valid EAP-Key-Name attribute received	1
11006	Returned RADIUS Access-Challenge	0
11001	Received RADIUS Access-Request	3
11018	RADIUS is re-using an existing session	0
12301	Extracted EAP-Response/NAK requesting to use PEAP instead	0
12300	Prepared EAP-Request proposing PEAP with challenge	0
12625	Valid EAP-Key-Name attribute received	0
11006	Returned RADIUS Access-Challenge	0
11001	Received RADIUS Access-Request	3
11018	RADIUS is re-using an existing session	0
12302	Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated	0
61025	Open secure connection with TLS peer	0
12318	Successfully negotiated PEAP version 0	1
12800	Extracted first TLS record; TLS handshake started	0
12805	Extracted TLS ClientHello message	0
12806	Prepared TLS ServerHello message	0
12807	Prepared TLS Certificate message	0
12808	Prepared TLS ServerKeyExchange message	7
12810	Prepared TLS ServerDone message	0
12305	Prepared EAP-Request with another PEAP challenge	0
11006	Returned RADIUS Access-Challenge	0
11001	Received RADIUS Access-Request	3
11018	RADIUS is re-using an existing session	0
12304	Extracted EAP-Response containing PEAP challenge-response	0
12305	Prepared EAP-Request with another PEAP challenge	0
11006	Returned RADIUS Access-Challenge	0
11001	Received RADIUS Access-Request	3
11018	RADIUS is re-using an existing session	0
12304	Extracted EAP-Response containing PEAP challenge-response	1
12305	Prepared EAP-Request with another PEAP challenge	0
11006	Returned RADIUS Access-Challenge	0
11001	Received RADIUS Access-Request	4
11018	RADIUS is re-using an existing session	0
12304	Extracted EAP-Response containing PEAP challenge-response	0
12318	Successfully negotiated PEAP version 0	0
12810	Prepared TLS ServerDone message	0
12812	Extracted TLS ClientKeyExchange message	3
12803	Extracted TLS ChangeCipherSpec message	0
12804	Extracted TLS Finished message	0
12801	Prepared TLS ChangeCipherSpec message	0
12802	Prepared TLS Finished message	0
12816	TLS handshake succeeded	0
12310	PEAP full handshake finished successfully	0
12305	Prepared EAP-Request with another PEAP challenge	0
11006	Returned RADIUS Access-Challenge	0
11001	Received RADIUS Access-Request	4
11018	RADIUS is re-using an existing session	1
12304	Extracted EAP-Response containing PEAP challenge-response	0
12313	PEAP inner method started	0
11521	Prepared EAP-Request/Identity for inner EAP method	0
12305	Prepared EAP-Request with another PEAP challenge	0
11006	Returned RADIUS Access-Challenge	0
11001	Received RADIUS Access-Request	2
11018	RADIUS is re-using an existing session	0
12304	Extracted EAP-Response containing PEAP challenge-response	1
11522	Extracted EAP-Response/Identity for inner EAP method	0
11806	Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge	0
12305	Prepared EAP-Request with another PEAP challenge	0
11006	Returned RADIUS Access-Challenge	0
11001	Received RADIUS Access-Request	4
11018	RADIUS is re-using an existing session	0
12304	Extracted EAP-Response containing PEAP challenge-response	0
11808	Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated	0
15041	Evaluating Identity Policy	0
15013	Selected Identity Source - NibHQ-AD	1
24430	Authenticating user against Active Directory - NibHQ-AD	0
24325	Resolving identity - NIBHQ\6886	2
24313	Search for matching accounts at join point - nibhq.local	0
24315	Single matching account found in domain - nibhq.local	0
24323	Identity resolution detected single matching account	0
24343	RPC Logon request succeeded - 6886@nibhq.local	2
24402	User authentication against Active Directory succeeded - NibHQ-AD	0
22037	Authentication Passed	0
11824	EAP-MSCHAP authentication attempt passed	0
12305	Prepared EAP-Request with another PEAP challenge	0
11006	Returned RADIUS Access-Challenge	0
11001	Received RADIUS Access-Request	2
11018	RADIUS is re-using an existing session	0
12304	Extracted EAP-Response containing PEAP challenge-response	0
11810	Extracted EAP-Response for inner method containing MSCHAP challenge-response	0
11814	Inner EAP-MSCHAP authentication succeeded	0
11519	Prepared EAP-Success for inner EAP method	0
12314	PEAP inner method finished successfully	0
12305	Prepared EAP-Request with another PEAP challenge	1
11006	Returned RADIUS Access-Challenge	0
11001	Received RADIUS Access-Request	2
11018	RADIUS is re-using an existing session	0
12304	Extracted EAP-Response containing PEAP challenge-response	0
24715	ISE has not confirmed locally previous successful machine authentication for user in Active Directory	0
15036	Evaluating Authorization Policy	0
24209	Looking up Endpoint in Internal Endpoints IDStore - NIBHQ\6886	1
24211	Found Endpoint in Internal Endpoints IDStore	1
24432	Looking up user in Active Directory - NIBHQ\6886
24355	LDAP fetch succeeded
24416	User's Groups retrieval from Active Directory succeeded
15048	Queried PIP - NibHQ-AD.ExternalGroups	3
15048	Queried PIP - Network Access.AuthenticationStatus	0
15048	Queried PIP - Session.PostureStatus	1
15048	Queried PIP - Session.PostureStatus	0
15016	Selected Authorization Profile - DenyAccess	1
15039	Rejected per authorization profile	0
12306	PEAP authentication succeeded	0
61026	Shutdown secure connection with TLS peer	1
11503	Prepared EAP-Success	0
11003	Returned RADIUS Access-Reject	0

Rob Ingram · ‎01-30-2025

@Saeed Abd Elhalim Hamada scroll down where it lists the AD groups and provide a screenshot of the retrieve list of groups.

View solution in original post

Rob Ingram · ‎01-29-2025

@Saeed Abd Elhalim Hamada as per your output - "15039 Rejected per authorization profile" - so the user did not match your authorisation rules. Perhaps the user is not a member of the correct AD group (depending on your rule configuration).

What is the configuration of your authorisation policy rules? Can you provide screenshots?

MHM Cisco World · ‎01-29-2025

User is identified by MAC

So it MAB not 802.1x

Can I see authc and authz policy

MHM

Saeed Abd Elhalim Hamada · ‎01-29-2025

@MHM Cisco World @Rob Ingram

VLAN50

Rob Ingram · ‎01-30-2025

@Saeed Abd Elhalim Hamada the output above confirms the AD groups that user is a member of

None of which seem to be

So the user won't match that rule and is hitting the default, which is rejecting.

Check the user is a member of the correct AD group. Or amend the rule to permit traffic from another group.

Saeed Abd Elhalim Hamada · ‎01-30-2025

what about the resolved group name ???

Saeed Abd Elhalim Hamada · ‎01-30-2025

when i made test user ?

Saeed Abd Elhalim Hamada · ‎01-29-2025

user in the same group after test

Rob Ingram · ‎01-30-2025

@Saeed Abd Elhalim Hamada scroll down where it lists the AD groups and provide a screenshot of the retrieve list of groups.

Saeed Abd Elhalim Hamada · ‎01-30-2025

@Rob Ingram thanks i just removed all AD groups and retived them again and it`s works for me ^_^

MHM Cisco World · ‎01-30-2025

Sorry can you elaborate more about authc policy you use ?

There is unknown? What is unknown ?

MHM