CISCO ISE 2.4 15039 Rejected per authorization profile

Nadia Bbz · ‎01-19-2020

i am relatively new to the technology of Cisco ISE.
today i get the issue below for two users accounts

Event : 5400 Authentication failed

Failure Reason : 15039 Rejected per authorization profile

Resolution : Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.

and when i use troubleshooting i get error as attached

thanks for help

Francesco Molino · ‎01-19-2020

Hi

Can you share a screenshot of your authorization rules under your WIRED_LAB policy-set?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Nadia Bbz · ‎01-20-2020

Hey, My policy-set is in attached

note that since 6 month the user connecte normally authentication successful

Francesco Molino · ‎01-20-2020

Can you release your machine endpoint from ise, it seems to be rejected:
IsEndpointInRejectMode true

You can view it by going in Context Visibility menu then go into endpoints. Type in the machine mac address and the icon status shouldn't with a red deny access icon. If it's, it means the machine is rejected and you need to check the box on the right of the mac address and click on release reject button on top right of the table.

Also can you make sure the machine authenticates first because you're checking if machine is authenticated in your rule.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Nadia Bbz · ‎01-21-2020

Hey,

thanks for the time you take to try to help me

i applied the method you suggested , the icon status is in green connected but i always get : rejected per authorization profile

you will find attached a screenshot of the result

Francesco Molino · ‎01-21-2020

The rejected status you see there is the latest known status. Can you redo a test and share the authentication/authorization log?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Nadia Bbz · ‎01-22-2020

hey,

thanks for help

i deleted mac address of another endpoint who have same problem , restart machine always the problem appear , i redid test the result as attached

please note that in configuration of port , i added this line : authentication event fail action authorize vlan X , that's way user get ip address but with strict limitation

thanks again for help

Francesco Molino · ‎01-23-2020

Can you share the full authentication/authorization log from the live log please?
Have you create a temp rule bypassing MAR (the attribute wasmachineauthenticated)?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Nadia Bbz · ‎01-26-2020

Hey @Francesco Molino,

thanks so much for helping me , i greatly appreciate it

you will find attached the live log

Thanks again

Francesco Molino · ‎01-26-2020

It looks like it isn't taking the temp authorization rule i asked you to create for test and the endpoint have done multiple bad tentative of authentications which means it'll be rejected again.

Can you send me a private message with your timezone and we'll try to a webex to see what's going on.
Then we will put the answer right here to help other people facing the same issue.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Nadia Bbz · ‎01-27-2020

hey @Francesco Molino ,

Thank you for your time , Your generosity overwhelms me!

today , the user had Authenticated succefully , without doing any change

Francesco Molino · ‎01-27-2020

Ok great. Keep an eye and let me know if anything comes up.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question