Re: Cisco 9800 LWA/cisco ISE issue

ittechk4u1 · ‎08-12-2021

Hello Experts,

I am facing a issue with guest access authentication. Old AIROS wlcs are working but now I have a installed a new 9800 wlc and its creating an issue.

Requesting help to troubleshoot below authentication fail error messages seen for wireless guest users.

Event	5400 Authentication failed
Failure Reason	15039 Rejected per authorization profile
Resolution	Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.
Root cause	Selected Authorization Profile contains ACCESS_REJECT attribute
Username	USERNAME

Its not hitting the right Authentication policy.

Hers is the config:

-----------------------------------

aaa new-model
!
!
aaa group server radius ISE
server name ISE1
server name ISE2
deadtime 5
mac-delimiter hyphen
!
aaa group server radius CLOUD
server name CLOUD1
server name CLOUD2
deadtime 5
!
aaa authentication login ISE_Login group ISE
aaa authentication dot1x ISE group ISE
aaa authentication dot1x CLOUD group CLOUD
aaa authorization network ISE group ISE
aaa authorization network CLOUD group CLOUD
aaa accounting identity ISE start-stop group ISE
aaa accounting identity CLOUD start-stop group CLOUD
!
!
aaa attribute list wlan_lobby_access
!
!
!
!
aaa server radius dynamic-author
client 10.18.21.14 server-key 7 <key>
client 10.18.21.15 server-key 7 <key>
client 188.166.194.133 server-key 7 <key>
client 67.207.78.164 server-key 7 <key>
!
parameter-map type webauth global
type webauth
sleeping-client
virtual-ip ipv4 192.0.2.1 virtual-host guest.corp.com
redirect for-login guest.corp.com
redirect portal ipv4 192.0.2.1
intercept-https-enable
trustpoint TP-self-signed-1227611375
webauth-http-enable
!
radius server ISE2
address ipv4 10.18.21.15 auth-port 1812 acct-port 1813
key 7 <key>
!
radius server CLOUD1
address ipv4 188.166.194.133 auth-port 1866 acct-port 1867
key 7 <key>
!
radius server CLOUD2
address ipv4 67.207.78.164 auth-port 1866 acct-port 1867
key 7 <key>
!
wireless aaa policy Called_Station_ID
nas-id option1 ssid
!
wireless profile policy Guest
aaa-policy Called_Station_ID
accounting-list ISE
description Guest
ipv4 dhcp required
ipv4 dhcp server 172.18.80.1
vlan CorpGuest
no shutdown
!
wlan CorpGuest 1 CorpGuest
peer-blocking drop
no security wpa
no security wpa wpa2
no security wpa wpa2 ciphers aes
no security wpa akm dot1x
security web-auth
security web-auth authentication-list ISE_Login
security web-auth parameter-map global
no shutdown

-----------------------------------

Can you guy please help me!!

Best Regards

ittechk4u1 · ‎08-12-2021

Its not hitting the right Auth policy in ISE:

Steps

	11001	Received RADIUS Access-Request
	11017	RADIUS created a new session
	15049	Evaluating Policy Group
	15008	Evaluating Service Selection Policy
	15048	Queried PIP
	15041	Evaluating Identity Policy
	15013	Selected Identity Source -
	22043	Current Identity Store does not support the authentication method; Skipping it
	22064	Authentication method is not supported by any applicable identity store(s)
	22058	The advanced option that is configured for an unknown user is used
	22060	The 'Continue' advanced option is configured in case of a failed authentication request
	24715	ISE has not confirmed locally previous successful machine authentication for user in Active Directory
	15036	Evaluating Authorization Policy
	15048	Queried PIP
	15048	Queried PIP
	15048	Queried PIP
	15016	Selected Authorization Profile - DenyAccess
	15039	Rejected per authorization profile
	11003	Returned RADIUS Access-Reject
	5434	Endpoint conducted several failed authentications of the same scenario