08-12-2021 01:25 AM - edited 09-21-2021 02:47 AM
Hello Experts,
I am facing a issue with guest access authentication. Old AIROS wlcs are working but now I have a installed a new 9800 wlc and its creating an issue.
Requesting help to troubleshoot below authentication fail error messages seen for wireless guest users.
Event | 5400 Authentication failed |
Failure Reason | 15039 Rejected per authorization profile |
Resolution | Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results. |
Root cause | Selected Authorization Profile contains ACCESS_REJECT attribute |
Username | USERNAME |
Its not hitting the right Authentication policy.
Auth policies:
11001 | Received RADIUS Access-Request | |
11017 | RADIUS created a new session | |
15049 | Evaluating Policy Group | |
15008 | Evaluating Service Selection Policy | |
15048 | Queried PIP | |
15041 | Evaluating Identity Policy | |
15013 | Selected Identity Source - | |
22043 | Current Identity Store does not support the authentication method; Skipping it | |
22064 | Authentication method is not supported by any applicable identity store(s) | |
22058 | The advanced option that is configured for an unknown user is used | |
22060 | The 'Continue' advanced option is configured in case of a failed authentication request | |
24715 | ISE has not confirmed locally previous successful machine authentication for user in Active Directory | |
15036 | Evaluating Authorization Policy | |
15048 | Queried PIP | |
15048 | Queried PIP | |
15048 | Queried PIP | |
15016 | Selected Authorization Profile - DenyAccess | |
15039 | Rejected per authorization profile | |
11003 | Returned RADIUS Access-Reject | |
5434 | Endpoint conducted several failed authentications of the same scenario |
Thanks in advance
Best Regards
Solved! Go to Solution.
09-01-2022 06:16 AM
Hi Grendizer,
I have a third-party certificate installed but when I put the guest.corp.com name for the certificate the guests get a "This site can't be reached" when it redirects to the name I put in. I believe this is because I need to enter a DNS record for guest.corp.com to 192.0.2.1 as you mentioned. How do I go about doing that? Is it through Administration > DNS and then add DNS Server or is there a different page to add that DNS record? Thanks for the hlep.
09-01-2022 08:10 AM
Configuration > Security > Web Auth > global > General >
Virtual IPv4 Address: 192.0.2.1
Virtual IPv4 Hostname: guest.corp.com
and select the "Trustpoint" that contain your 3rd party cert
next, (from the DNS Server), you need to add to the DNS record to point the guests to the 9800 virtual IP address.
09-01-2022 08:28 AM
Hello,
It's that last part that I am confused about, what DNS server? We are using our ISP's DNS servers for the guest wireless so will I have to change that to use our local DNS then? If we use our local DNS is there a way for us to access the controller securely on the management IP vs guests accessing the virtual IP/DNS name when they sign in?
I am looking through the DHCP options, is it possible to add the ip and hostname there so we can keep the external DNS?
09-01-2022 09:03 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide