Hello, I have a question about Cisco's Identity Services Engine. I have a Cisco phone that is being denied network access.
Endpoint Profile
Cisco-Device
Authentication Failure Reason
15039 Rejected per authorization profile
Authentication Policy
Internal Endpoints
Authorization Policy
Default
Authentication Protocol
Lookup
Would you please let me know how I can grant network access to this device?
Cisco* 802.1xNetworking
Last Comment
Tim__
8/22/2022 - Mon
Craig Beck
You're not matching an authorization profile so you're hitting the default deny.
Could you check the Operations -> Live Log entry for a failed authentication and post a screenshot of the details (click on the magnifying glass).
Also, screenshot your Policy Set rules and post here.
Tim__
ASKER
Good morning, Mr. Beck. Thank you for your help. The Live Log entry is too large to fit on one screen, so I attached it as a text file. I also attempted to take a screenshot of the Policy Set rules, but I am not sure that I got the correct information. Policy-Set.png Live-Log.txt
Craig Beck
Thanks, Tim.
Could you open the Wired MAB policy set and screenshot that for me, please? I need to see the authorization policy within that policy set.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Tim__
ASKER
I am looking in Policy > Policy Sets, Mr. Beck, but I do not see any way to open the Wired MAB policy set. Would you please let me know how I can expand it?
Tim__
ASKER
I just noticed that Internet Explorer was not displaying the entire Web page to me. To see the arrows for opening the Policy Set, I had to browse ISE using the Edge browser. Now that I can see it, it looks like only the printers are being authorized. Wired-MAB.png
Craig Beck
Now that I can see it, it looks like only the printers are being authorized
Correct!
I can see you're also doing SGT imposition on the printers. You can duplicate the rule and change the endpoint identity group to match the Cisco phones, but you may also need to set the Security Group to something other than PRINTERS.
Unlimited question asking, solutions, articles and more.
Tim__
ASKER
I am sorry. I do not know what you mean by SGT imposition. If I duplicate the rule, I could change the Security Group to IP phones. Would I also have to create a new authorization profile under Results Profiles? And what about the Conditions? Would I have to set the IdentityGroup-Name equal to Cisco_Profile_Phones?
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
Could you check the Operations -> Live Log entry for a failed authentication and post a screenshot of the details (click on the magnifying glass).
Also, screenshot your Policy Set rules and post here.