01-18-2013 09:11 AM - edited 03-10-2019 07:59 PM
Hello,
I have an authorization rule which verify that the AV (mcafee 12.x) is installed (thanks to NAC agent), time restriction and so, and so....
The connection failed with this code : 15039 Rejected per authorization profile
How can I obtain a some more details on that ?
I mean, I'd like to know which condition is not verified and lead to a failed connection.
Regards.
V.
01-18-2013 05:29 PM
Please tell us a little about your setup, is this in production and only affecting a few users or are you in lab environment trying to iron out your policies. That error typically means the client didnt meet an authorization condition. If a client fails a posture condition the clients posture status changes to not compliant.
Thanks
Tarik Admani
Sent from Cisco Technical Support iPad App
01-19-2013 02:04 PM
Hello Tarik, thanks for answering,
this is a lab environement, I gonna try to capture trafic to debug a little bit more.
I have the ISE, a switch and a XP workstation with mcafee 12.x (and nac agent).
The ISE is configured to let the XP workstation come in when mcafee 12.x is installed
Without posture assessment, the XP get connected perfectly.
I'd like to see some log saying which condition lead to a reject.
In the meantime I will try : "monitor>report> catalog>posture"
thank you Tarik.
V.
01-19-2013 11:05 PM
Can you provide a screenshot of the authentications portion followed by the authorization rules.
Thanks,
Tarik Admani
*Please rate helpful posts*
01-21-2013 01:17 AM
Hello Tarik,
I am a little bit upset against Cisco.
Thanks to one of your post around, I discovered that I need both a redirection URL and an ALC to do the job.
All of these is not clearly depicted on the documentation....
I think I am close to the solution.
01-21-2013 01:19 AM
No problem, let me know if you are able to resolve your issue and please post what you found before and after. I am sure I and alot of people have the same issue you are running into before.
Thanks!
Tarik Admani
*Please rate helpful posts*
01-21-2013 07:52 AM
Hello Tarik (and others)
Ok my objective is to authorize a user which workstation has McAfee 12.x installed. (NAC Agent installed)
As I said previously, I do need an authorisation profile like this one :
I'm a little bit upset because it is not clearly depicted in the documentation (or hard to find)
Thankfully, You Tarik mentionned it on the forum somewhere
This authorization policy works, but as you can see, the second contidion is posture status = unknown
Once the password is entered, NAC agent reacts, and grants the user successfully !
Just take a log at the live authentication window : the status is pending first, and after a while, a "red" line is added above saying that the posture is now compliant. (confirmed by NAC agent that has been upgraded in the meanwhile)
Why do I need to set the posture status to unknown ?
Regards.
V.
01-21-2013 11:52 PM
Do you want compliant devices to get the profile VLAN-10?
In your Authorization Policy it say (Tarik can correct me if I am wrong):
IF
a user from the group Users-1
AND
the device is connected to network device R1
AND
the posture status is Unknown
THEN
add device profile VLAN-10
But according to the authentication log the posture status is Compliant. So I am guessing that you are never hitting that authorization rule since the posture status is Compliant and not Unknown.
What happens if you set the third condition to Compliant instad of Unknown?
01-22-2013 12:54 AM
hi Philip,
for the time being, it is the way I get it to work
it's a bit weird I know
The workstation is compliant but I need to set the condition to unknown for the NAC agent to parse the configuration and says that the AV has the right version. (in that case)
The the workstation is then compliant, and the network access is granted !
I have to work a little more on that, but Cisco documentation doest help that much.
Thank you for answering my friend.
V.
01-22-2013 05:56 AM
Hi,
The red error is a dynamic authorization error message. Please check the change authorization settings on your device (if this is a wireless controller make sure the radius nac is enabled. If this is a wired device make sure the following command is entered and the shared secret is correct:
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a2.html#wp1073129
This boils down to ISE not being able to change force the client re authenticate for the new compliant policy.
Thanks,
Sent from Cisco Technical Support iPad App
01-22-2013 07:40 AM
Hello Tarik,
Yes, the command is in the config since the beginning.
This morning I upgraded to version 1.1.2 and applied the latest patch.
regards.
Vincent.
01-22-2013 07:51 AM
Now Tarik, my question is :
what happen when a "non compliant" rule is hit( giving me an VLAN along with an ACL) and the corrective action took place successfully ?
Do I stay in the same VLAN, or is the ISE push me the result from the "compliant" rule ?
Am I clear enough ?
:-)
This is the live auth windows :
Bottom to top :
- posture unknown
- remediation done
- disable/enable of the workstation NIC and posture now compliant.
When remediation OK, the workstation still under the VLAN-10 authorization profile
V.
01-22-2013 04:22 PM
If you are non compliant the nac agent should still appear with the "Re-Scan" appear. When the user remediates or remediation is done automatically, the nac agent should rescan and send the posture report over to ISE. ISE then flips the session over to compliant and then issues the COA to reauthorize the user.
So you should dynamically get placed on the correct vlan, and the nac agent should referesh your ip (if you have enabled the vlan detect feature on the agent profile settings).
Thanks,
Tarik Admani
*Please rate helpful posts*
01-23-2013 12:19 AM
hello Tarik,
Yes it should, but it does not work....
I think that COA is only related to inline posture, isn't it ?
V.
01-23-2013 01:28 AM
Hi,
COA is a feature used by ISE to dynamically change a user's policy within the network. The Inline node is needed in order bridge this limitiation with the ASA. Without this device you will not be able to posture users that connect through an ASA.
Essentially the flow should follow this path:
Client authenticates (authorized with limitied connectivity)
Client provide posture report (endpoint changes from pending to compliant)
ISE issues COA to NAD
NAD reauthorized the user
Client now has full connectivity.
Please check the dynamic authorization settings, you have to enter a key which is the same value as the shared secret.
Tarik Admani
*Please rate helpful posts*
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide