I am following with Keith Barker's videos ,I am little bit new ,how can I check it ?

Go to Policy -> Authorization (or if you have Policy Sets, choose that).  You'll want to look at the last policy - the Default policy (or rule).  It will be called Default, then will have the authz profile listed beside it.

For your switch output, try "show auth sess int gi2/0/1 detail" instead.  I see you have two MAC addresses there - is there a switch or hub plugged into this port or is it a phone with a PC behind it?

Also, look at Operations -> Radius Live Log and paste in your results.

Tim

Yes Tim ,there is an iphone connected to test PC .

AZPBTASW001#sh authentication sessions interface gigabitEthernet 2/0/1 de
AZPBTASW001#sh authentication sessions interface gigabitEthernet 2/0/1 details
Interface: GigabitEthernet2/0/1
MAC Address: 9457.a5b0.0ade
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: 94-57-A5-B0-0A-DE
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: 0A0000640000012B75977C34
Acct Session ID: 0x00000039
Handle: 0xE7000033
Current Policy: POLICY_Gi2/0/1

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:

Method status list:
Method State
dot1x Stopped
mab Authc Success

----------------------------------------
Interface: GigabitEthernet2/0/1
MAC Address: dcce.c115.0a33
IPv6 Address: Unknown
IPv4 Address: Unknown
User-Name: DC-CE-C1-15-0A-33
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Common Session ID: 0A0000640000012C75977C49
Acct Session ID: 0x00000038
Handle: 0xAC000034
Current Policy: POLICY_Gi2/0/1

Local Policies:
Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)

Server Policies:

Method status list:
Method State
dot1x Stopped
mab Authc Success

Can you paste in the results shown in the Radius Live Log to point out the authz profile that is being applied?  Again, you can find that at Operations -> Radius Livelog

Do you have profiling probes configured in ISE? You can check by going to Administration -> System -> Deployment, clicking on the hostname of your PSN, then clicking the Profiling Configuration tab toward the top.  You could instead use the IOS Device Sensor to have the switch send profiling details to ISE via radius accounting - much more efficient if your switch supports it.

Do you have an authz policy for Cisco IP Phones?  It should look something like this:

If profiling is working correctly, ISE should be able to identify the phone as a Cisco IP Phone.  Then, when you look at the auth session on the switch, you should have the phone showing in the VOICE domain, and the PC in the DATA domain.

Take a look at how you have your authc (authentication) policy configured.  Do they look something like this?

When you look at the detail of the MAB Default rule you may see this:

The "Continue" if user not found allows an endpoint authc attempt to forward to the authz (authorization) phase.  This is specifically useful for the guest use case.  So, if your PC was not "known" by ISE yet, it could still get passed on to the authz phase.  Then, if your authz Default policy has something other than DenyAccess, it would pass authz.

There are several things that need to be reviewed as mentioned above.  Please provide the details and we'll see if we can help you out.

Tim

Take a look at the Authorization Profiles column.  Your endpoint was given PermitAccess.  If you look at the Authorization Policy column, you can see part of the path to the actual authz policy/rule this endpoint hit.  Grab a screen shot of your authz policies and paste in for review.

Your endpoint is matching is the Basic_Authenticated_Access authz policy.  If you look at how that policy is constructed, the only conditions required to be met are:

1) authentication has passed

2) the auth attempt is MAB and on the wired network

If those conditions are met, the endpoint gets the PermitAccess authz profile.

There are two phases that a network access attempt has to go through: authentication (authc) and authorization (authz).  Once the attempt has passed authc, it then gets exposed to the authz policies.  If there is no match, the Default policy is used. 

In your case, it appears that either the MAC address was already in the ISE database or your authc policy is set to "Reject, Continue, Drop" as I mentioned earlier in the thread when I was talking about your MAB Default rule.  Take a look at my screen shot regarding a MAB Default policy above and see if that is how yours is set. 

If you are not going to have any Guest use cases in your authz policies, then you can set that to "Reject, Reject, Drop" if you want.  Keep in mind that even if an endpoint is allowed to "bypass" the authc phase, it still has to match the conditions of an authz policy to gain access.  In your case, you could leave the authc policy as-is, but either remove the Basic_Authentication_Access policy, or add another condition to it - like and endpoint identity group.  I typically get pretty specific with my policy naming and policy element naming.  So, if you were trying to MAB auth a printer for instance, I would create an endpoint identity group called Printers, populate that group with my printer MAC addresses, create an authz profile called Printers and give it the proper vlan and dACL (if needed), then create my authz policy calling it Printers so you'd end up with a policy that looks like this:

I'm not suggesting that all printers be authc/authz with MAB, just using it as an example.

Tim

Thanks Tim ,if you time ,can we troubleshoot it together ?

Possibly next week.  I just sent you a private message, take a look and respond when you can.

Tim

Hi Tim ,How are you ? I can't write personal message to you from there