Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1900
Views
10
Helpful
13
Replies

ISE MAB for Cisco IP phone without profiling license.

Go to solution
ali007
Level 1
Level 1

‎09-29-2022 03:45 AM - edited ‎09-29-2022 03:55 AM

hi,

I am trying to setup our ISE for Cisco IP phone and we do not have license to support profiling. do you have a step by step guide or something so I can copy it? I have tried everything so far that I know but it wouldnt work as I am keep getting the following error:

resolution: Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.

root cause: Selected Authorization Profile contains ACCESS_REJECT attribute

ISE Version is: 3.2

thanks in advance

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aref Alsouqi
VIP
VIP
In response to ali007

‎09-29-2022 09:02 AM

Thanks. It seems ISE is complaining about the network device profile. What network device profile have you selected in the phones authorization profile? that option should be the second from top. Could you please try to set that to "any" and see if this makes any difference?

View solution in original post

0 Helpful
13 Replies 13

Go to solution
Aref Alsouqi
VIP
VIP

‎09-29-2022 05:30 AM

I think you can create an identity group, importing/moving the phones' MAC addresses into the identity group, and then reference the identity group on the authorization rule. That should match the traffic coming from the phones without relying on profiling at all. The downside of this is that you need to add any additional phone MAC address to the identity group.

Go to solution
ali007
Level 1
Level 1
In response to Aref Alsouqi

‎09-29-2022 05:50 AM

Hi Aref.

I have done just that but getting the below error- also, I have only selected "voice domain" in the result profile - is that right?: 

Event : 5434 Endpoint conducted several failed authentications of the same scenario

Failure Reason: 15039 Rejected per authorization profile

Resolution: Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.

Root cause: Selected Authorization Profile contains ACCESS_REJECT attribute

 

 

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP

‎09-29-2022 06:08 AM

Yes, voice domain permission would be required. It does seem that the traffic coming from the phones is not matching the right authorization profile. Would you mind sharing sanitized screenshots of your authentication and authorization rules for review?

Go to solution
ali007
Level 1
Level 1
In response to Aref Alsouqi

‎09-29-2022 07:13 AM - edited ‎09-29-2022 07:17 AM

thanks Aref, I can see the right authZ policy is selected in the logs but still access_reject is chosen: 

(check the attached screenshot)

there was a default IP Phone group so I added the MAC to this group statically.

Preview file
12 KB
0 Helpful

Go to solution
andrewswanson
Level 7
Level 7
In response to ali007

‎09-29-2022 07:39 AM

The "Event : 5434 Endpoint conducted several failed authentications of the same scenario" message suggests the client is being blacklisted by ISE - see thread below:

https://community.cisco.com/t5/network-access-control/ise-and-failed-authentications-conducted-by-endpoints/td-p/2971530

hth

Andy

 

0 Helpful

Go to solution
ali007
Level 1
Level 1
In response to andrewswanson

‎09-29-2022 08:51 AM

thanks Andrew, there's no anomalous client supression settings in "Administration > System > Settings > Radius, Suppress Anomalous Clients" as the thread suggests. we are running version 3 patch 2.

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP

‎09-29-2022 07:34 AM - edited ‎09-29-2022 07:35 AM

Mmm, could you please check in the authorization profile the access type? it is the first option when you open up the authorization profile, and it should be set to "ACCESS_ACCEPT", maybe it was set to "ACCESS_REJECT" accidentally?!

0 Helpful

Go to solution
ali007
Level 1
Level 1
In response to Aref Alsouqi

‎09-29-2022 07:40 AM

its definitely set to Access_Accept - checked it many times over.

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to ali007

‎09-29-2022 07:49 AM

Could you please try to create an new authorization profile from the scratch, not by cloning the existing one, and apply it to the authorization rule and see if that makes any difference?

0 Helpful

Go to solution
ali007
Level 1
Level 1
In response to Aref Alsouqi

‎09-29-2022 08:04 AM

tried that over a few times as well.

The only thing selected in authorization result profile is voice domain
though and access-accept
0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP

‎09-29-2022 08:18 AM

Can you please share the complete failure log page as a screenshot for review?

0 Helpful

Go to solution
ali007
Level 1
Level 1
In response to Aref Alsouqi

‎09-29-2022 08:35 AM

sure, please see atatched:

Preview file
137 KB
0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to ali007

‎09-29-2022 09:02 AM

Thanks. It seems ISE is complaining about the network device profile. What network device profile have you selected in the phones authorization profile? that option should be the second from top. Could you please try to set that to "any" and see if this makes any difference?

0 Helpful
Customers Also Viewed These Support Documents