02-24-2020 10:46 AM
Hi Experts,
I am testing one use case in ISE, where the ise is not authorizing the AD user. when I am testing this AD user from switch with command : test aaa group radius username@AD.com Password new-code, then its saying :
User successfully authenticated
USER ATTRIBUTES
username 0 "Username"
tunnel-type 1 13 [vlan]
tunnel-medium-type 1 6 [ALL_802]
tunnel-private-group 1 "IT"
Means, its successfully authenticated and getting authorization as well. But when I am testing from end point its giving me below error, please provide the workaround where I am missing something.
its ACCESS_ACCEPT in authorization profile, dont know why its saying in root cause: Authorization Profile with ACCESS_REJECT attribute
Event | 5400 Authentication failed |
Failure Reason | 15039 Rejected per authorization profile |
Resolution | Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results. |
Root cause | Selected Authorization Profile contains ACCESS_REJECT attribute |
Also mentioning all the steps , which its Performing during this process.
11001 | Received RADIUS Access-Request | |
11017 | RADIUS created a new session | |
11027 | Detected Host Lookup UseCase (Service-Type = Call Check (10)) | |
15049 | Evaluating Policy Group | |
15008 | Evaluating Service Selection Policy | |
15048 | Queried PIP - DEVICE.Device Type | |
15041 | Evaluating Identity Policy | |
15048 | Queried PIP - Normalised Radius.RadiusFlowType | |
15013 | Selected Identity Source - Internal Endpoints | |
24209 | Looking up Endpoint in Internal Endpoints IDStore - 00:50:56:5D:D5:2A | |
24211 | Found Endpoint in Internal Endpoints IDStore | |
22037 | Authentication Passed | |
24715 | ISE has not confirmed locally previous successful machine authentication for user in Active Directory | |
15036 | Evaluating Authorization Policy | |
24432 | Looking up user in Active Directory - AD.com | |
24325 | Resolving identity - 00-50-56-5D-D5-2A | |
24313 | Search for matching accounts at join point - AD.com | |
24318 | No matching account found in forest - AD.com | |
24322 | Identity resolution detected no matching account | |
24352 | Identity resolution failed - ERROR_NO_SUCH_USER | |
24412 | User not found in Active Directory - AD.com | |
15048 | Queried PIP - AD.com.ExternalGroups (3 times) | |
15016 | Selected Authorization Profile - DenyAccess | |
15039 | Rejected per authorization profile | |
11003 | Returned RADIUS Access-Reject |