Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1466
Views
5
Helpful
5
Replies

troubleshooting over not functioning credentials

maring13482
Beginner
Beginner

‎01-08-2021 05:46 AM

Hi

We need to access to some Cisco devices in a ISE managed infrastructure.

we theoretically have been granted access with multiple credentials but now only a few of them work. The others seems not to be authorized (error "Unable to authorize access.")

 

I've tried to troubleshoot this in the ISE But I can't figure out what's the matter with our non functioning credentials. Here is a compare between Username1 (working) and username2 (not working)

 

2021-01-08 14_29_02-_new 1 - Notepad++ [Administrator].png

 

Can anyone tell me where exactly to look in those logs in order to troubleshoot problems like this?

 

thanks! 

0 Helpful
5 Replies 5

Damien Miller
VIP
VIP

‎01-08-2021 09:17 AM

The log on the right, which is resulting in an access reject, appears to be matching the username/AD account in a different domain, possibly across a two way trust in the AD config. If this is the case, the AD groups mapped in the Authz for access may not exist in the other domain. At least that's one possible scenario here.

You can do some AD test authentications and look to see the difference between user1 and user 2. Do this from the External ID sources page. 
https://<ise admin node>/admin/#administration/administration_identitymanagement/administration_identitymanagement_external

ad-test.png

 

0 Helpful

maring13482
Beginner
Beginner
In response to Damien Miller

‎01-13-2021 02:05 AM

I've tried authenticating both users through the tool you've suggested and I've noted no difference between the two. There just one AD server configured as an external identity source and it's successful for both

0 Helpful

Panos Bouras
Beginner
Beginner
In response to maring13482

‎01-15-2021 02:15 AM

hi @maring13482 ,

 

The access rejects comes from your authorization rules, not your authentication.

Please check your authorization rules, share them if you need more help.

Thank you,Panos.
Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies
0 Helpful

maring13482
Beginner
Beginner
In response to Panos Bouras

‎01-19-2021 08:04 AM

I don't really know much of the ISE's lingo. Here is the closest thing to "authorization rules" that I've found (looking through some documentation searching for "authorization rule", I've found some reference to policy sets) 

2021-01-19 16_58_01.png

0 Helpful

Panos Bouras
Beginner
Beginner
In response to maring13482

‎01-25-2021 09:14 AM

Hi @maring13482 

 

I apologize for using ISE lingo.
You found your policy sets which is a good starting point, next if you click on the ">" on your corresponding policy e.g. WIFI_802.1X you'll find the authorization rules. There you must observe the options that must match in order for an authorization policy to succeed, this could be a range of things like use must belong to specific AD group, or for a specific SSID or/ and specific hour.

As policies can be either very simple or to complex there's no way to guide you without specific requirements.

We can try if it's a one off situation, but is always recommended to hire an ISE consultant, especially if you're in an security "sensitive" environment.

Also have a look at https://www.network-node.com/ for some good videos on ISE.

 

Thank you,Panos.
Please Rate Posts (by clicking on Star) and/or Mark Solutions as Accepted, when applies
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents