Re: ISE 2.4.0.357 and Rejected per authorization profile

Ilnur.Garipov · ‎03-28-2019

Hi,

I have ISE 2.4.0.357 with patch 1,2 and 3. Also I have PC with Win 10 and AnyConnect version 4.5.04029

On ISE I configured authentication dot1x for domain PC and MAB for printers and IP Phones. All works is ok, but some PC can't authenticate properly and in ISE logs I see the next log "15039 Rejected per authorization profile". And some time later this PC is authenticate correct. And it's continue over and over.

Can anybody faced with problem like this?

the output command sh run int fa0/6 is:

interface FastEthernet0/6
switchport access vlan 17
switchport mode access
switchport port-security mac-address sticky
switchport port-security mac-address sticky XXXX.XXXX.XXXX
switchport port-security
authentication event fail action next-method
authentication event server dead action authorize vlan 17
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication open
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
authentication violation restrict
mab
dot1x pae authenticator
spanning-tree portfast

the piece of output command sh auth sess int fa0/6 is:

Runnable methods list:
Method State
dot1x Failed over
mab Failed over

switch is WS-C2960+24PC-L and IOS is 15.0(2)SE8

Mike.Cifelli · ‎03-28-2019

Why do you have host-mode configured for multi-auth? Are there more than one PC off this switchport? Multi-auth allows one client for voice vlan & multiple authenticated clients on your data vlan. Can you share how you have you ISE policies setup? Please share the ISE logs as well.

Ilnur.Garipov · ‎03-29-2019

About multi-auth: it's typical setup for all switchports because somewhere to one interface is connect PC and phone and somewhere only PC.

I attach two photo with ISE policies setup.

For security reasin I cann't show this log. What exactly you need to see? Steps?

hslai · ‎03-30-2019

Check the auth detailed reports and see whether the failed sessions have values of all the attributes to match on your policy rules.

bern81 · ‎03-28-2019

Hi,

Remove the "switchport port-security" configuration on all the switchports where you have 802.1x or MAB configured.

Port-security creates issues when used with dot1x/MAB.

Then try again to see if the problem persists.

Please rate if helpful.

havillaroe2504 · ‎09-30-2021

hi. i new user for ISE. please can you tell me what problems they may have when i configure a 802.1x whit portsecure??

ComputerRick · ‎09-30-2021

Port security is implemented by the device and if it conflicts with server authentication, will supersede it. The server isn't aware of port-security. The other thing is that dot1x denies any traffic until authenticated, port-security doesn't authenticate, so dot1x is a more complete access method. I'm not aware of any case where port-security would supplement dot1x security.

I would suggest using host-mode multi-domain for a single phone and pc, as did Mike above.

As for the ISE policies, I would use the Allowed Protocols to determine or limit the policy set, and not use those in the policies themselves. I would drop the RADIUS types, It's already a condition of the policy set "RadiusFlowType EQUALS Wired802_1x". If the allowed protocols are limited to these specific ones, then no issue, but if you have more in your allowed protocols and you're filtering here, they could be negotiating another protocol (EAP-TLS) and with these policies you'd be forcing them to a default deny result. I suspect that removing the first 4 conditions in the authorization policy and leaving only the Domain Computers condition would likely improve consistency.