Cisco Support Community
Community Member

Adding IPS Modules to IPS

Have got ISE 1.2 running and have my firewalls authenticating against them and need to get my IPS modules authenticating as well but don't seem to be able to get them to.

My settings on teh IPS Device are as follows

Servier IP Address - {ISE Address}

Authentication Port - 1645

Timeout (seconds - 3

Shared Secret - {Shared Secret}

However ISE is rejecting the request

11001Received RADIUS Access-Request
11017RADIUS created a new session
11015An Access-Request MUST contain either a NAS-IP-Address or a NAS-Identifier or both; Continue processing
15049Evaluating Policy Group
15008Evaluating Service Selection Policy
15006Matched Default Rule
15041Evaluating Identity Policy
15006Matched Default Rule
15013Selected Identity Source - ActiveDirectory
24430Authenticating user against Active Directory
24402User authentication against Active Directory succeeded
22037Authentication Passed
15036Evaluating Authorization Policy
24432Looking up user in Active Directory - $$-jregan
24416User's Groups retrieval from Active Directory succeeded
24420User's Attributes retrieval from Active Directory succeeded
15048Queried PIP
15048Queried PIP
15004Matched rule - Default
15016Selected Authorization Profile - DenyAccess
15039Rejected per authorization profile
11003Returned RADIUS Access-Reject

Do I need to set a new condition based on some specific piece of information for ISE to recognise this devices request?

Any advice would be greatly appreciated.

Many thanks in advance


Cisco Employee

Adding IPS Modules to IPS


Looks like you're landing on default authorization policy (DenyAccess).

Add an authorization policy what would match the network device/AAA client of your IPS, make sure it's on top.Take if from there.

Also 1645 - old port, ISE should be listenning to old and new, but 1812 is what you would typically see for any other device config.


Re:Adding IPS Modules to IPS

Can you post a screenshot of your authorization policies, along with IPS settings in ISE

Sent from Cisco Technical Support Android App

Tarik Admani *Please rate helpful posts*
Community Member

Adding IPS Modules to IPS

Hi Tarik,

Here is the condition used in my Authorisation Policy for allowing access to the IPS module

ActiveDirectory:ExternalGroups EQUALS {AD Group of which I am a member}


Network Access:AuthenticationMethod EQUALS PAP_ASCII


Radius:NAS-IP-Address EQUALS {IP Address of the module}

I'm not sure what you mean by "IPS settings in ISE", all I have done is add a device using the IP address and shared secret



CreatePlease to create content