cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
26831
Views
0
Helpful
18
Replies

15039 Rejected per authorization profile

Adnan Ahmad
Level 1
Level 1

Hello experts,

 

I am getting the following error when I use dot1x with local user authen on ISE.

Switchport configuration is below:

 

inter gig1/0/9
switchport
switchport mode access
switchport voice vlan 221
authen port-control auto
authen hsot-mode multi-auth
authen order mab dot1x
authen priority dot1x mab
mab
dot1x pae authen
exit

 

after trying a few times it registers with MAB authen which I dont want. the vlan is downloaded from Dacl.

 

I need to solve this issue ASAP, please can someone help in this regards. Im new to ISE so if you need any further info please let me know.

 

thanks in advance.

Regards,

Adnan

 

ISE-Error.jpg

18 Replies 18

Do you have the problem with all computers/users or just one/some?

 

Try changing the order, run dot1x before mab authentication order dot1x mab

 

If dot1x authentication fails then the client is probably not matching against the rules you've defined in the policy.

 

Hi RJI,

 

Thanks for your reply.

 

Actually I have a phone and through that I have one mab pc and other dot1x pc connected. So on the same port mab pc gets authenticated but for dot1x it is not and gives that error. I have a local user defined on ISE which I use for authentication. But it doesnt authenticate and gives the error.

 

I will check it with order dot1x mab on the port and paste the result here today.

 

Regards,

Adnan

Hi Adnan, Can you post a screenshot of your Authorization rules from the policy set please?

 

Hi RJI,

 

Please see the attached screenshots of Author profile, Authen rule and Author rules.

 

Regards,

Adnan

Ok, so in the Authorisation rule you've defined a condition of Dot1x-PC, what is that? I am not referring to the permission you've defined of the same name.

What authentication method are you using? PEAP/MSCHAPv2?

Can you send the output of "show authentication session interface Gi1/0/14" once the device has passed/failed authentication please?

It is a user identity group. I have created a user and then called this group in that user. Below are the "show authen session details" in the attached Pic 6.

 

The first one PC is using Dot1x authen with local user defined on ISE. it fail and then the MAC is learnt by the ISE and authenticates it with MAC.

I want it to be authenticated with Dot1x.

 

Regards,

Adnan

 

Can you show me the output of the interface Gi1/0/14 I would like to see that output. - "show authentication session interface Gi1/0/14"

How is the client computer configured and for what authentication protocol?

Can you do a tcpdump on the PSN and then do and authentication of a client PC?

Has this actually ever worked or are you just attempting to setup now?

Hi RJI,

 

Please see the attached Pics for the authen on the PC side. This is actually a new setup but we do have same setup on other sites and are working fine.

 

Regards,

Hi, Ok I see how the client is going to authenticate.

I'd still like to see the output of "show authentication session interface Gi1/0/14", not the summary of all interfaces you've sent.

Do you have the tcpdump packet capture?

Below is the output.

 

            Interface:  GigabitEthernet1/0/14
          MAC Address:  0050.56ae.231b
         IPv6 Address:  Unknown
         IPv4 Address:  192.168.216.216
            User-Name:  00-50-56-AE-23-1B
               Status:  Authorized
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  both
      Session timeout:  N/A
      Restart timeout:  N/A
Periodic Acct timeout:  N/A
    Common Session ID:  0A640816000000A212D73754
      Acct Session ID:  Unknown
               Handle:  0xFE00008B
       Current Policy:  POLICY_Gi1/0/14

Local Policies:
         OPEN DIR ACL:  Open-Dir-ACL
        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
      Security Policy:  Should Secure
      Security Status:  Link Unsecure

          
Server Policies:

Method status list:
       Method           State

       mab              Authc Success

----------------------------------------
            Interface:  GigabitEthernet1/0/14
          MAC Address:  0050.56ae.d5b5
         IPv6 Address:  Unknown
         IPv4 Address:  Unknown
            User-Name:  00-50-56-AE-D5-B5
               Status:  Authorized
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  both
      Session timeout:  N/A
      Restart timeout:  N/A
Periodic Acct timeout:  N/A
    Common Session ID:  0A640816000000AA12FBE3C1
      Acct Session ID:  Unknown
               Handle:  0x98000093
          
       Current Policy:  POLICY_Gi1/0/14

Local Policies:
        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
      Security Policy:  Should Secure
      Security Status:  Link Unsecure

Server Policies:

Method status list:
       Method           State

       mab              Authc Success

----------------------------------------
            Interface:  GigabitEthernet1/0/14
          MAC Address:  5000.0017.0000
         IPv6 Address:  Unknown
         IPv4 Address:  10.100.8.4
            User-Name:  50-00-00-17-00-00
               Status:  Unauthorized
               Domain:  DATA
       Oper host mode:  multi-auth
          
     Oper control dir:  both
      Session timeout:  N/A
      Restart timeout:  N/A
Periodic Acct timeout:  N/A
    Common Session ID:  0A640816000000A512D7AB86
      Acct Session ID:  Unknown
               Handle:  0xE700008E
       Current Policy:  POLICY_Gi1/0/14

Local Policies:
         OPEN DIR ACL:  Open-Dir-ACL
        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
      Security Policy:  Should Secure
      Security Status:  Link Unsecure

Method status list:
       Method           State

       mab              Authc Success

----------------------------------------
            Interface:  GigabitEthernet1/0/14
          MAC Address:  346f.9016.d825
          
         IPv6 Address:  Unknown
         IPv4 Address:  10.100.215.10
            User-Name:  34-6F-90-16-D8-25
               Status:  Authorized
               Domain:  VOICE
       Oper host mode:  multi-auth
     Oper control dir:  both
      Session timeout:  N/A
      Restart timeout:  N/A
Periodic Acct timeout:  N/A
    Common Session ID:  0A640816000000A412D7A8A3
      Acct Session ID:  Unknown
               Handle:  0x9B00008D
       Current Policy:  POLICY_Gi1/0/14

Local Policies:
        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
      Security Policy:  Should Secure
      Security Status:  Link Unsecure

Server Policies:
              ACS ACL:  xACSACLx-IP-PERMIT_ALL_TRAFFIC-57452910

          
Method status list:
       Method           State

       mab              Authc Success

----------------------------------------
            Interface:  GigabitEthernet1/0/14
          MAC Address:  5000.0002.0000
         IPv6 Address:  Unknown
         IPv4 Address:  Unknown
            User-Name:  50-00-00-02-00-00
               Status:  Authorized
               Domain:  DATA
       Oper host mode:  multi-auth
     Oper control dir:  both
      Session timeout:  N/A
      Restart timeout:  N/A
Periodic Acct timeout:  N/A
    Common Session ID:  0A640816000000A612D7ECED
      Acct Session ID:  Unknown
               Handle:  0x2E00008F
       Current Policy:  POLICY_Gi1/0/14

          
Local Policies:
        Service Template: DEFAULT_LINKSEC_POLICY_SHOULD_SECURE (priority 150)
      Security Policy:  Should Secure
      Security Status:  Link Unsecure

Server Policies:

Method status list:
       Method           State

       mab              Authc Success

Ok, it hasn't even run dot1x on that interface.

 

Do you have dot1x system-auth-control configured globally?

Hi,

Yes I have configured globally "dot1x system-auth-control".

 

For me I have 3750 E with 15.2 ios version. So the following output I gets when I say "show authen session inter gig1/0/14"

 


Interface    MAC Address    Method  Domain  Status Fg Session ID
----------------------------------------------------------------------
Gi1/0/14     0050.56ae.231b mab     DATA    Auth      0A640816000000EB16BE55B0
Gi1/0/14     0050.56ae.d5b5 mab     DATA    Auth      0A640816000000F016D9EA2D
Gi1/0/14     5000.0017.0000 mab     DATA    Unauth    0A640816000000EE16BF081C
Gi1/0/14     346f.9016.d825 mab     VOICE   Auth      0A640816000000EC16BEA5F8
Gi1/0/14     5000.0002.0000 mab     DATA    Auth      0A640816000000ED16BEE903


Key to Session Events Blocked Status Flags:

  A - Applying Policy (multi-line status for details)
  D - Awaiting Deletion
  F - Final Removal in progress
  I - Awaiting IIF ID allocation
  N - Waiting for AAA to come up
  P - Pushed Session
  R - Removing User Profile (multi-line status for details)
  U - Applying User Profile (multi-line status for details)
  X - Unknown Blocker

Runnable methods list:
          
  Handle  Priority  Name
    6        5      dot1x
    20       10     mab
    18       15     webauth

Below is the is the authen detail on inter gig10/14, for TCP dump i dont have it now but I can get it.

 

Interface    MAC Address    Method  Domain  Status Fg Session ID
----------------------------------------------------------------------
Gi1/0/14     0050.56ae.231b mab     DATA    Auth      0A640816000000A212D73754
Gi1/0/14     0050.56ae.d5b5 mab     DATA    Auth      0A640816000000AA12FBE3C1
Gi1/0/14     5000.0017.0000 mab     DATA    Unauth    0A640816000000A512D7AB86
Gi1/0/14     346f.9016.d825 mab     VOICE   Auth      0A640816000000A412D7A8A3
Gi1/0/14     5000.0002.0000 mab     DATA    Auth      0A640816000000A612D7ECED


Key to Session Events Blocked Status Flags:

  A - Applying Policy (multi-line status for details)
  D - Awaiting Deletion
  F - Final Removal in progress
  I - Awaiting IIF ID allocation
  N - Waiting for AAA to come up
  P - Pushed Session
  R - Removing User Profile (multi-line status for details)
  U - Applying User Profile (multi-line status for details)
  X - Unknown Blocker

Runnable methods list:
          
  Handle  Priority  Name
    6        5      dot1x
    20       10     mab
    18       15     webauth

 

 

Ok, it looks like you've run "show authentication interface Gi1/0/14"

I'd like the output of "show authentication session interface Gi1/0/14"

And please indicate which is the mac address of the PC attempting dot1x.

And when you can please send the tcpdump packet capture., filter on the ip address of the switch if you have a lot of authentications going on.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: