07-12-2017 07:22 AM - edited 03-11-2019 12:50 AM
Hi,
I've Cisco ISE 2.2.0.470 patch 1.
Every time that a user tries to access the network via MAB Authentication, authentication fails.
Failure reason is "22017 Selected Identity Source is DenyAccess".
The resolution is Select a different identity source.
The identity store is in fact DenyAccess while previously the identity store of my users was Guest_Users.
How could I select a different identity store?
How could I change DenyAccess identity store?
Is it possible?
Thanks
Antonio
07-12-2017 08:28 AM
07-13-2017 06:31 AM
Hi,
thanks for your reply.
It doesn't work or maybe I've configured the authentication policy in a wrong manner.
Actual authentication policies are shown in the picture attached.
Yesterday there wasn't the MAB_SG_copy1.
Yesterday users hit the MAB_SG policy and it was right in my scenario.
The error messages were:
Failure reason is "22017 Selected Identity Source is DenyAccess".
The resolution is Select a different identity source.
After your reply I've configured also the MAB_SG_copy1 policy.
This policy is very similar to the MAB_SG policy with the difference of Identity Store that is DenyAccess store instead of All_user_ID_store.
I use DenyAccess identity store to try to permit access to "Denyaccess" users.
Identity Source Details are the same for both the policies.
Now users hit that policy but the failure messages are the same of the MAB_SG policy.
Is this configuration correct? Did you mean this type of configuration?
The strange fact is that MAB_SG policy worked well for some days and suddenly, after I've reloaded my ISE, it began to deny access to my users.
I've reloaded my ISE because I've upgraded cpu and ram (not disk).
I don't know if the resource upgrade could have influenced the authentication behaviour.
Thanks
Antonio
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide