Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3064
Views
0
Helpful
2
Replies

DenyAccess Identity Store on ISE

antonio.dinapoli
Level 1
Level 1

‎07-12-2017 07:22 AM - edited ‎03-11-2019 12:50 AM

Hi,

I've Cisco ISE 2.2.0.470 patch 1.

Every time that a user tries to access the network via MAB Authentication, authentication fails.

Failure reason is "22017 Selected Identity Source is DenyAccess".

The resolution is Select a different identity source.

The identity store is in fact DenyAccess while previously the identity store of my users was Guest_Users.

How could I select a different identity store?

How could I change DenyAccess identity store?

Is it possible?

Thanks

Antonio

1 person had this problem
Labels:
0 Helpful
2 Replies 2

Rahul Govindan
VIP Alumni
VIP Alumni

‎07-12-2017 08:28 AM

You can choose a new identity store for the Authentication policy you are hitting. All ID stores should show up as options to choose in a dropdown See picture attached. 

Preview file
314 KB
0 Helpful

antonio.dinapoli
Level 1
Level 1
In response to Rahul Govindan

‎07-13-2017 06:31 AM

Hi,

thanks for your reply.

It doesn't work or maybe I've configured the authentication policy in a wrong manner.

Actual authentication policies are shown in the picture attached.

Yesterday there wasn't the MAB_SG_copy1.

Yesterday users hit the MAB_SG policy and it was right in my scenario.

The error messages were:

Failure reason is "22017 Selected Identity Source is DenyAccess".

The resolution is Select a different identity source.

After your reply I've configured also the MAB_SG_copy1 policy.

This policy is very similar to the MAB_SG policy with the difference of Identity Store that is DenyAccess store instead of All_user_ID_store.

I use DenyAccess identity store to try to permit access to "Denyaccess" users.

Identity Source Details are the same for both the policies.

Now users hit that policy but the failure messages are the same of the MAB_SG policy.

Is this configuration correct? Did you mean this type of configuration?

The strange fact is that MAB_SG policy worked well for some days and suddenly, after I've reloaded my ISE, it began to deny access to my users.

I've reloaded my ISE because I've upgraded cpu and ram (not disk).

I don't know if the resource upgrade could have influenced the authentication behaviour.

Thanks

Antonio

Preview file
243 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents