12-04-2014 06:27 AM - edited 03-10-2019 10:14 PM
Hello,
I have configured Authc and Authz policies as follows:
Authc:
If Radius-NAS-Port-Type EQUALS Virtual the Default Network Access and use AD
Authz:
If Radius-NAS-Port-Type EQUALS Virtual
AND AD Specific User Group
then Authz Profile Permissions (Cisco av-pair = NCS:role0=Root and NCS:virtual-domain0=ROOT-DOMAIN)
I am able to authenticate successfully and the Authorisation permission is applied and I can see this from the Authentication logs, but after that it seems ISE goes back to the Default Authentication policy of Deny Access.
Please could any one explain why this failure as the Prime Admin guide doesn't have the proper configuration steps.
Solved! Go to Solution.
03-03-2015 10:29 AM
For my authorization profile result in ISE for PI, I use the following:
Access Type = ACCESS_ACCEPT
cisco-av-pair = NCS:virtual-domain0=ROOT-DOMAIN
cisco-av-pair = NCS:role0=Root
Now you would obviously need to change this if you have multiple virtual domains in PI. It looks similar to what you are using.
My successful login is shown below (however I don't see the Virtual port type):
Source Timestamp | 2015-03-03 10:23:56.123 |
Received Timestamp | 2015-03-03 10:23:56.123 |
Policy Server | MYISESERVER |
Event | 5200 Authentication succeeded |
Failure Reason | |
Resolution | |
Root cause | |
Username | mycoolusername |
User Type | |
Endpoint Id | |
Endpoint Profile | |
IP Address | |
Identity Store | MYADIDENTITYSTORE |
Identity Group | |
Audit Session Id | |
Authentication Method | PAP_ASCII |
Authentication Protocol | PAP_ASCII |
Service Type | |
Network Device | PISERVERNAME |
Device Type | Network Management |
Location | Corporate Office |
NAS IP Address | PI-IP-ADDRESS |
NAS Port Id | |
NAS Port Type | |
Authorization Profile | Cisco-Prime-Infrastructure |
Posture Status | NotApplicable |
Security Group | |
Response Time | 19 |
Try taking out the port type=virtual in your authorization profile config. I only see the port type=virtual in the authentication.
12-04-2014 09:12 AM
Are you saying that you are initially able to login as an administrator to Prime but then any subsequent authentications fail?
12-04-2014 11:09 AM
No. What I am saying is that I successfully authenticate and the authorisation policy+profile above is applied. But this fails despite the fact it's just a Cisco-av-pair as shown above.
I can see from Operations > Authentication that Authentication is successful and Auth profile applied.
After this, I see fail and when I check the details, the message is Authentication > Default policy, subject not found in ID store.
12-04-2014 05:51 PM
I am not sure I fully understand exact flow and the problem. Can you post screenshots of the following:
1. Prime radius and AAA configurations
2. ISE Policy Configuration
3. Authentication screen of the failed/pass authentication
12-05-2014 03:50 AM
04-02-2015 03:08 AM
I should've updated long ago. Removed the NAS-Port-Type=Virtual and replaced with NDG created for Prime i.e Device:DeviceType=Prime.
For Authentication, the I left the Radius=Virtual in the Policy
03-01-2015 05:06 PM
Hi,
Does anybody have a solution to this issue? I am having the same problem - it's as though a second request is sent to ISE which only matches up to the Default policy which, in my case, is deny access.
Thanks
03-03-2015 10:29 AM
For my authorization profile result in ISE for PI, I use the following:
Access Type = ACCESS_ACCEPT
cisco-av-pair = NCS:virtual-domain0=ROOT-DOMAIN
cisco-av-pair = NCS:role0=Root
Now you would obviously need to change this if you have multiple virtual domains in PI. It looks similar to what you are using.
My successful login is shown below (however I don't see the Virtual port type):
Source Timestamp | 2015-03-03 10:23:56.123 |
Received Timestamp | 2015-03-03 10:23:56.123 |
Policy Server | MYISESERVER |
Event | 5200 Authentication succeeded |
Failure Reason | |
Resolution | |
Root cause | |
Username | mycoolusername |
User Type | |
Endpoint Id | |
Endpoint Profile | |
IP Address | |
Identity Store | MYADIDENTITYSTORE |
Identity Group | |
Audit Session Id | |
Authentication Method | PAP_ASCII |
Authentication Protocol | PAP_ASCII |
Service Type | |
Network Device | PISERVERNAME |
Device Type | Network Management |
Location | Corporate Office |
NAS IP Address | PI-IP-ADDRESS |
NAS Port Id | |
NAS Port Type | |
Authorization Profile | Cisco-Prime-Infrastructure |
Posture Status | NotApplicable |
Security Group | |
Response Time | 19 |
Try taking out the port type=virtual in your authorization profile config. I only see the port type=virtual in the authentication.
03-03-2015 02:53 PM
Thanks, Seth. I'll try that.
03-03-2015 03:31 PM
Taking out the port-type=virtual in the authorization profile sorted things out for Alan and I. Thanks for taking the time to answer, Seth.
(We're still using role0=Admin, though, as appropriate for the permissions setup we're using)
02-19-2016 01:28 AM
Hello,
i am expecting the same problem.
Where i will remove port type=virtual?
In my authorization profile i have :
Access Type = ACCESS_ACCEPT
cisco-av-pair = NCS:role0=Root
Thanks
Marco
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide