Solved: Wired mab authorization to LDAP problems

chanyunchang · ‎11-12-2018

Can someone figure out that I configure the LDAP server for ISE authentication of MAB, but the session doesn't hit on the authorization policy of LDAP group, I thought maybe is incorrect value in the * Group Map Attribute or * Group Object Class.. I'm not sure what can I do..

.

Overview
Event    5200 Authentication succeeded
Username    00:0C:29:0A:6B:B5
Endpoint Id    00:0C:29:0A:6B:B5
Endpoint Profile    Windows7-Workstation
Authentication Policy   Default >> MAB
Authorization Policy   Default >> Basic_Authenticated_Access
Authorization Result   PermitAccess

Authentication Details
Source Timestamp    2018-11-13 14:01:36.191
Received Timestamp    2018-11-13 14:01:36.204
Policy Server    ise1
Event    5200 Authentication succeeded
Username    00:0C:29:0A:6B:B5
Endpoint Id    00:0C:29:0A:6B:B5
Calling Station Id    00-0C-29-0A-6B-B5
Endpoint Profile    Windows7-Workstation
IPv4 Address    192.168.92.171
Authentication Identity Store    TESTLDAP
Identity Group    test-whitelist
Audit Session Id    C0A85C6400000005004ADC22
Authentication Method    mab
Authentication Protocol    Lookup
Service Type    Call Check
Network Device    CR-2960
Device Type    All Device Types#switch#SW2960
Location    All Locations#Yangmei#CR
NAS IPv4 Address    192.168.92.100
NAS Port Id    GigabitEthernet0/5
NAS Port Type    Ethernet
Authorization Profile    PermitAccess
Response Time    64 milliseconds

Other Attributes
ConfigVersionId    134
DestinationPort    1645
Protocol    Radius
NAS-Port    50005
Framed-MTU    1500
OriginalUserName    000c290a6bb5
NetworkDeviceProfileId    b0699505-3150-4215-a80e-6753d45bf56c
IsThirdPartyDeviceFlow    false
AcsSessionID    ise1/331133428/16
UseCase    Host Lookup
SelectedAuthenticationIdentityStores    TESTLDAP
AuthenticationStatus    AuthenticationPassed
IdentityPolicyMatchedRule    MAB
AuthorizationPolicyMatchedRule    Basic_Authenticated_Access
CPMSessionID    C0A85C6400000005004ADC22
EndPointMACAddress    00-0C-29-0A-6B-B5
ISEPolicySetName    Default
IdentitySelectionMatchedRule    MAB
DTLSSupport    Unknown
HostIdentityGroup    Endpoint Identity Groups:test-whitelist
Network Device Profile    Cisco
IPSEC    IPSEC#Is IPSEC Device#No
Name    Endpoint Identity Groups:test-whitelist
IdentityDn    cn=000C290A6BB5,ou=OA,ou=MACAddresses,ou=MAC,dc=test,dc=com
gidNumber    503
uid    000c290a6bb5
RADIUS Username    00:0C:29:0A:6B:B5
Device IP Address    192.168.92.100
Called-Station-ID    DC:7B:94:16:53:85
CiscoAVPair    audit-session-id=C0A85C6400000005004ADC22

Result
User-Name    00-0C-29-0A-6B-B5
Class    CACS:C0A85C6400000005004ADC22:ise1/331133428/16
cisco-av-pair    profile-name=Windows7-Workstation
LicenseTypes    Base license consumed

Steps
   11001    Received RADIUS Access-Request
   11017    RADIUS created a new session
   11027    Detected Host Lookup UseCase (Service-Type = Call Check (10))
   15049    Evaluating Policy Group
   15008    Evaluating Service Selection Policy
   15048    Queried PIP - Normalised Radius.RadiusFlowType
   15041    Evaluating Identity Policy
   15013    Selected Identity Source - TESTLDAP
   24031    Sending request to primary LDAP server - TESTLDAP
   24017    Looking up host in LDAP Server - TESTLDAP
   24029    Host's attributes are retrieved - TESTLDAP
   24005    Host search finished successfully - TESTLDAP
   22037    Authentication Passed
   24715    ISE has not confirmed locally previous successful machine authentication for user in Active Directory
   15036    Evaluating Authorization Policy
   15048    Queried PIP - TESTLDAP.ExternalGroups
   15048    Queried PIP - Radius.NAS-Port-Type
   15048    Queried PIP - EndPoints.LogicalProfile
   15048    Queried PIP - Network Access.AuthenticationStatus
   15016    Selected Authorization Profile - PermitAccess
   11002    Returned RADIUS Access-Accept

Surendra · ‎11-12-2018

If this is only condition, ISE obviously did not match as it went through other conditions configured in other policies as well.
Would suggest you to check the authorization policy configured and also test the user groups at Administration > Identity Management > External Identity Sources > LDAP > TESTLDAP > Groups > Select Groups from Directory. See if it returns the OA group for that user. If it does, if the authorization policy has the correct condition and if it still does not work, please reach out to TAC.

View solution in original post

Surendra · ‎11-12-2018

ISE is checking the following attributes :

15048 Queried PIP - TESTLDAP.ExternalGroups
15048 Queried PIP - Radius.NAS-Port-Type
15048 Queried PIP - EndPoints.LogicalProfile
15048 Queried PIP - Network Access.AuthenticationStatus

I would suggest you check the policies configured as well to see if the request matches any of these attributes, may be a screenshot would help.

chanyunchang · ‎11-12-2018

Hi Surendra

I configured the policy to match external group.

Surendra · ‎11-12-2018

If this is only condition, ISE obviously did not match as it went through other conditions configured in other policies as well.
Would suggest you to check the authorization policy configured and also test the user groups at Administration > Identity Management > External Identity Sources > LDAP > TESTLDAP > Groups > Select Groups from Directory. See if it returns the OA group for that user. If it does, if the authorization policy has the correct condition and if it still does not work, please reach out to TAC.

ognyan.totev · ‎11-13-2018

Absolutely agree @Surendra the ISE match in your case default rule : wich is basic authentication access = permit ip any any

Andrii Oliinyk · ‎06-14-2021

He Guys

topic is quite old & solution is probably already found. I can confirm that matching works against entire DN (meaning ExternalGroups is not exactly CN=OA under OU=MacGroups under OU=MAC & so on up. Instead (with equal op) it must be like CN=OA,OU=MACGroups,OU=MAC,DC=test,DC=com.