08-12-2021 01:08 AM - edited 08-12-2021 02:14 AM
Hello Experts,
I am facing a issue with guest access authentication. Old AIROS wlcs are working but now I have a installed a new 9800 wlc and its creating an issue.
Requesting help to troubleshoot below authentication fail error messages seen for wireless guest users.
Event | 5400 Authentication failed |
Failure Reason | 15039 Rejected per authorization profile |
Resolution | Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results. |
Root cause | Selected Authorization Profile contains ACCESS_REJECT attribute |
Username | USERNAME |
Its not hitting the right Authentication policy.
Hers is the config:
-----------------------------------
aaa new-model
!
!
aaa group server radius ISE
server name ISE1
server name ISE2
deadtime 5
mac-delimiter hyphen
!
aaa group server radius CLOUD
server name CLOUD1
server name CLOUD2
deadtime 5
!
aaa authentication login ISE_Login group ISE
aaa authentication dot1x ISE group ISE
aaa authentication dot1x CLOUD group CLOUD
aaa authorization network ISE group ISE
aaa authorization network CLOUD group CLOUD
aaa accounting identity ISE start-stop group ISE
aaa accounting identity CLOUD start-stop group CLOUD
!
!
aaa attribute list wlan_lobby_access
!
!
!
!
aaa server radius dynamic-author
client 10.18.21.14 server-key 7 <key>
client 10.18.21.15 server-key 7 <key>
client 188.166.194.133 server-key 7 <key>
client 67.207.78.164 server-key 7 <key>
!
parameter-map type webauth global
type webauth
sleeping-client
virtual-ip ipv4 192.0.2.1 virtual-host guest.corp.com
redirect for-login guest.corp.com
redirect portal ipv4 192.0.2.1
intercept-https-enable
trustpoint TP-self-signed-1227611375
webauth-http-enable
!
radius server ISE2
address ipv4 10.18.21.15 auth-port 1812 acct-port 1813
key 7 <key>
!
radius server CLOUD1
address ipv4 188.166.194.133 auth-port 1866 acct-port 1867
key 7 <key>
!
radius server CLOUD2
address ipv4 67.207.78.164 auth-port 1866 acct-port 1867
key 7 <key>
!
wireless aaa policy Called_Station_ID
nas-id option1 ssid
!
wireless profile policy Guest
aaa-policy Called_Station_ID
accounting-list ISE
description Guest
ipv4 dhcp required
ipv4 dhcp server 172.18.80.1
vlan CorpGuest
no shutdown
!
wlan CorpGuest 1 CorpGuest
peer-blocking drop
no security wpa
no security wpa wpa2
no security wpa wpa2 ciphers aes
no security wpa akm dot1x
security web-auth
security web-auth authentication-list ISE_Login
security web-auth parameter-map global
no shutdown
-----------------------------------
Can you guy please help me!!
Best Regards
08-12-2021 01:11 AM
Its not hitting the right Auth policy in ISE:
11001 | Received RADIUS Access-Request | |
11017 | RADIUS created a new session | |
15049 | Evaluating Policy Group | |
15008 | Evaluating Service Selection Policy | |
15048 | Queried PIP | |
15041 | Evaluating Identity Policy | |
15013 | Selected Identity Source - | |
22043 | Current Identity Store does not support the authentication method; Skipping it | |
22064 | Authentication method is not supported by any applicable identity store(s) | |
22058 | The advanced option that is configured for an unknown user is used | |
22060 | The 'Continue' advanced option is configured in case of a failed authentication request | |
24715 | ISE has not confirmed locally previous successful machine authentication for user in Active Directory | |
15036 | Evaluating Authorization Policy | |
15048 | Queried PIP | |
15048 | Queried PIP | |
15048 | Queried PIP | |
15016 | Selected Authorization Profile - DenyAccess | |
15039 | Rejected per authorization profile | |
11003 | Returned RADIUS Access-Reject | |
5434 | Endpoint conducted several failed authentications of the same scenario |
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide