cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1164
Views
0
Helpful
2
Replies

DenyAccess Identity Store on ISE

Hi,

I've Cisco ISE 2.2.0.470 patch 1.

Every time that a user tries to access the network via MAB Authentication, authentication fails.

Failure reason is "22017 Selected Identity Source is DenyAccess".

The resolution is Select a different identity source.

The identity store is in fact DenyAccess while previously the identity store of my users was Guest_Users.

How could I select a different identity store?

How could I change DenyAccess identity store?

Is it possible?

Thanks

Antonio

Everyone's tags (1)
2 REPLIES 2
VIP Advocate

You can choose a new identity

You can choose a new identity store for the Authentication policy you are hitting. All ID stores should show up as options to choose in a dropdown See picture attached. 

Hi,

Hi,

thanks for your reply.

It doesn't work or maybe I've configured the authentication policy in a wrong manner.

Actual authentication policies are shown in the picture attached.

Yesterday there wasn't the MAB_SG_copy1.

Yesterday users hit the MAB_SG policy and it was right in my scenario.

The error messages were:

Failure reason is "22017 Selected Identity Source is DenyAccess".

The resolution is Select a different identity source.

After your reply I've configured also the MAB_SG_copy1 policy.

This policy is very similar to the MAB_SG policy with the difference of Identity Store that is DenyAccess store instead of All_user_ID_store.

I use DenyAccess identity store to try to permit access to "Denyaccess" users.

Identity Source Details are the same for both the policies.

Now users hit that policy but the failure messages are the same of the MAB_SG policy.

Is this configuration correct? Did you mean this type of configuration?

The strange fact is that MAB_SG policy worked well for some days and suddenly, after I've reloaded my ISE, it began to deny access to my users.

I've reloaded my ISE because I've upgraded cpu and ram (not disk).

I don't know if the resource upgrade could have influenced the authentication behaviour.

Thanks

Antonio