We need to access to some Cisco devices in a ISE managed infrastructure.
we theoretically have been granted access with multiple credentials but now only a few of them work. The others seems not to be authorized (error "Unable to authorize access.")
I've tried to troubleshoot this in the ISE But I can't figure out what's the matter with our non functioning credentials. Here is a compare between Username1 (working) and username2 (not working)
Can anyone tell me where exactly to look in those logs in order to troubleshoot problems like this?
The log on the right, which is resulting in an access reject, appears to be matching the username/AD account in a different domain, possibly across a two way trust in the AD config. If this is the case, the AD groups mapped in the Authz for access may not exist in the other domain. At least that's one possible scenario here.
You can do some AD test authentications and look to see the difference between user1 and user 2. Do this from the External ID sources page.
https://<ise admin node>/admin/#administration/administration_identitymanagement/administration_identitymanagement_external
I've tried authenticating both users through the tool you've suggested and I've noted no difference between the two. There just one AD server configured as an external identity source and it's successful for both
I don't really know much of the ISE's lingo. Here is the closest thing to "authorization rules" that I've found (looking through some documentation searching for "authorization rule", I've found some reference to policy sets)
I apologize for using ISE lingo.
You found your policy sets which is a good starting point, next if you click on the ">" on your corresponding policy e.g. WIFI_802.1X you'll find the authorization rules. There you must observe the options that must match in order for an authorization policy to succeed, this could be a range of things like use must belong to specific AD group, or for a specific SSID or/ and specific hour.
As policies can be either very simple or to complex there's no way to guide you without specific requirements.
We can try if it's a one off situation, but is always recommended to hire an ISE consultant, especially if you're in an security "sensitive" environment.
Also have a look at https://www.network-node.com/ for some good videos on ISE.