cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1901
Views
10
Helpful
13
Replies

ISE MAB for Cisco IP phone without profiling license.

ali007
Level 1
Level 1

hi,

I am trying to setup our ISE for Cisco IP phone and we do not have license to support profiling. do you have a step by step guide or something so I can copy it? I have tried everything so far that I know but it wouldnt work as I am keep getting the following error:

resolution: Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.

root cause: Selected Authorization Profile contains ACCESS_REJECT attribute

ISE Version is: 3.2

thanks in advance

1 Accepted Solution

Accepted Solutions

Thanks. It seems ISE is complaining about the network device profile. What network device profile have you selected in the phones authorization profile? that option should be the second from top. Could you please try to set that to "any" and see if this makes any difference?

View solution in original post

13 Replies 13

I think you can create an identity group, importing/moving the phones' MAC addresses into the identity group, and then reference the identity group on the authorization rule. That should match the traffic coming from the phones without relying on profiling at all. The downside of this is that you need to add any additional phone MAC address to the identity group.

Hi Aref.

I have done just that but getting the below error- also, I have only selected "voice domain" in the result profile - is that right?: 

Event : 5434 Endpoint conducted several failed authentications of the same scenario

Failure Reason: 15039 Rejected per authorization profile

Resolution: Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.

Root cause: Selected Authorization Profile contains ACCESS_REJECT attribute

 

 

Yes, voice domain permission would be required. It does seem that the traffic coming from the phones is not matching the right authorization profile. Would you mind sharing sanitized screenshots of your authentication and authorization rules for review?

thanks Aref, I can see the right authZ policy is selected in the logs but still access_reject is chosen: 

(check the attached screenshot)

there was a default IP Phone group so I added the MAC to this group statically.

The "Event : 5434 Endpoint conducted several failed authentications of the same scenario" message suggests the client is being blacklisted by ISE - see thread below:

https://community.cisco.com/t5/network-access-control/ise-and-failed-authentications-conducted-by-endpoints/td-p/2971530

hth

Andy

 

thanks Andrew, there's no anomalous client supression settings in "Administration > System > Settings > Radius, Suppress Anomalous Clients" as the thread suggests. we are running version 3 patch 2.

Mmm, could you please check in the authorization profile the access type? it is the first option when you open up the authorization profile, and it should be set to "ACCESS_ACCEPT", maybe it was set to "ACCESS_REJECT" accidentally?!

its definitely set to Access_Accept - checked it many times over.

Could you please try to create an new authorization profile from the scratch, not by cloning the existing one, and apply it to the authorization rule and see if that makes any difference?

tried that over a few times as well.

The only thing selected in authorization result profile is voice domain
though and access-accept

Can you please share the complete failure log page as a screenshot for review?

sure, please see atatched:

Thanks. It seems ISE is complaining about the network device profile. What network device profile have you selected in the phones authorization profile? that option should be the second from top. Could you please try to set that to "any" and see if this makes any difference?