Avatar of Tim__
Tim__
 asked on

Cisco ISE version 2.6.0.156 - Rejected Endpoints

Hello, I have a question about Cisco's Identity Services Engine. I have a Cisco phone that is being denied network access.

Endpoint Profile
Cisco-Device

Authentication Failure Reason
15039 Rejected per authorization profile

Authentication Policy
Internal Endpoints

Authorization Policy
Default

Authentication Protocol
Lookup

Would you please let me know how I can grant network access to this device?
Cisco* 802.1xNetworking

Avatar of undefined
Last Comment
Tim__

8/22/2022 - Mon
Craig Beck

You're not matching an authorization profile so you're hitting the default deny.

Could you check the Operations -> Live Log entry for a failed authentication and post a screenshot of the details (click on the magnifying glass).

Also, screenshot your Policy Set rules and post here.
Tim__

ASKER
Good morning, Mr. Beck. Thank you for your help. The Live Log entry is too large to fit on one screen, so I attached it as a text file. I also attempted to take a screenshot of the Policy Set rules, but I am not sure that I got the correct information.
Policy-Set.png
Live-Log.txt
Craig Beck

Thanks, Tim.

Could you open the Wired MAB policy set and screenshot that for me, please? I need to see the authorization policy within that policy set.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Tim__

ASKER
I am looking in Policy > Policy Sets, Mr. Beck, but I do not see any way to open the Wired MAB policy set. Would you please let me know how I can expand it?
Tim__

ASKER
I just noticed that Internet Explorer was not displaying the entire Web page to me. To see the arrows for opening the Policy Set, I had to browse ISE using the Edge browser. Now that I can see it, it looks like only the printers are being authorized.
Wired-MAB.png
Craig Beck

Now that I can see it, it looks like only the printers are being authorized

Correct!

I can see you're also doing SGT imposition on the printers. You can duplicate the rule and change the endpoint identity group to match the Cisco phones, but you may also need to set the Security Group to something other than PRINTERS.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Tim__

ASKER
I am sorry. I do not know what you mean by SGT imposition. If I duplicate the rule, I could change the Security Group to IP phones. Would I also have to create a new authorization profile under Results Profiles? And what about the Conditions? Would I have to set the IdentityGroup-Name equal to Cisco_Profile_Phones?
ASKER CERTIFIED SOLUTION
Craig Beck

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Tim__

ASKER
I apologize for the delay, Mr. Beck. That worked. Thank you very much for your help. I appreciate it.