Hi Experts,
I am testing one use case in ISE, where the ise is not authorizing the AD user. when I am testing this AD user from switch with command : test aaa group radius username@AD.com Password new-code, then its saying :
User successfully authenticated
USER ATTRIBUTES
username 0 "Username"
tunnel-type 1 13 [vlan]
tunnel-medium-type 1 6 [ALL_802]
tunnel-private-group 1 "IT"
Means, its successfully authenticated and getting authorization as well. But when I am testing from end point its giving me below error, please provide the workaround where I am missing something.
its ACCESS_ACCEPT in authorization profile, dont know why its saying in root cause: Authorization Profile with ACCESS_REJECT attribute
| Event | 5400 Authentication failed |
| Failure Reason | 15039 Rejected per authorization profile |
| Resolution | Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results. |
| Root cause | Selected Authorization Profile contains ACCESS_REJECT attribute |
Also mentioning all the steps , which its Performing during this process.
| | 11001 | Received RADIUS Access-Request |
| | 11017 | RADIUS created a new session |
| | 11027 | Detected Host Lookup UseCase (Service-Type = Call Check (10)) |
| | 15049 | Evaluating Policy Group |
| | 15008 | Evaluating Service Selection Policy |
| | 15048 | Queried PIP - DEVICE.Device Type |
| | 15041 | Evaluating Identity Policy |
| | 15048 | Queried PIP - Normalised Radius.RadiusFlowType |
| | 15013 | Selected Identity Source - Internal Endpoints |
| | 24209 | Looking up Endpoint in Internal Endpoints IDStore - 00:50:56:5D:D5:2A |
| | 24211 | Found Endpoint in Internal Endpoints IDStore |
| | 22037 | Authentication Passed |
| | 24715 | ISE has not confirmed locally previous successful machine authentication for user in Active Directory |
| | 15036 | Evaluating Authorization Policy |
| | 24432 | Looking up user in Active Directory - AD.com |
| | 24325 | Resolving identity - 00-50-56-5D-D5-2A |
| | 24313 | Search for matching accounts at join point - AD.com |
| | 24318 | No matching account found in forest - AD.com |
| | 24322 | Identity resolution detected no matching account |
| | 24352 | Identity resolution failed - ERROR_NO_SUCH_USER |
| | 24412 | User not found in Active Directory - AD.com |
| | 15048 | Queried PIP - AD.com.ExternalGroups (3 times) |
| | 15016 | Selected Authorization Profile - DenyAccess |
| | 15039 | Rejected per authorization profile |
| | 11003 | Returned RADIUS Access-Reject |
