- Software Firewalls
- Anti-Virus Apps
- Hardware Firewalls
- Cisco
Cisco ISE version 2.6.0.156 - Rejected Endpoints
Hello, I have a question about Cisco's Identity Services Engine. I have a Cisco phone that is being denied network access.
Endpoint Profile
Cisco-Device
Authentication Failure Reason
15039 Rejected per authorization profile
Authentication Policy
Internal Endpoints
Authorization Policy
Default
Authentication Protocol
Lookup
Would you please let me know how I can grant network access to this device?
Endpoint Profile
Cisco-Device
Authentication Failure Reason
15039 Rejected per authorization profile
Authentication Policy
Internal Endpoints
Authorization Policy
Default
Authentication Protocol
Lookup
Would you please let me know how I can grant network access to this device?
You're not matching an authorization profile so you're hitting the default deny.
Could you check the Operations -> Live Log entry for a failed authentication and post a screenshot of the details (click on the magnifying glass).
Also, screenshot your Policy Set rules and post here.
Could you check the Operations -> Live Log entry for a failed authentication and post a screenshot of the details (click on the magnifying glass).
Also, screenshot your Policy Set rules and post here.
Good morning, Mr. Beck. Thank you for your help. The Live Log entry is too large to fit on one screen, so I attached it as a text file. I also attempted to take a screenshot of the Policy Set rules, but I am not sure that I got the correct information.
Policy-Set.png
Live-Log.txt
Policy-Set.png
Live-Log.txt
Thanks, Tim.
Could you open the Wired MAB policy set and screenshot that for me, please? I need to see the authorization policy within that policy set.
Could you open the Wired MAB policy set and screenshot that for me, please? I need to see the authorization policy within that policy set.
I am looking in Policy > Policy Sets, Mr. Beck, but I do not see any way to open the Wired MAB policy set. Would you please let me know how I can expand it?
I just noticed that Internet Explorer was not displaying the entire Web page to me. To see the arrows for opening the Policy Set, I had to browse ISE using the Edge browser. Now that I can see it, it looks like only the printers are being authorized.
Wired-MAB.png
Wired-MAB.png
Now that I can see it, it looks like only the printers are being authorized
Correct!
I can see you're also doing SGT imposition on the printers. You can duplicate the rule and change the endpoint identity group to match the Cisco phones, but you may also need to set the Security Group to something other than PRINTERS.
I am sorry. I do not know what you mean by SGT imposition. If I duplicate the rule, I could change the Security Group to IP phones. Would I also have to create a new authorization profile under Results Profiles? And what about the Conditions? Would I have to set the IdentityGroup-Name equal to Cisco_Profile_Phones?
To answer the rule question first, no you won't have to create a new authorization profile. ISE has a profile called "Cisco_IP_Phones" configured out-of-the-box which allows Cisco IP Phones to authorize and hit the Voice VLAN on the switch. You just need to apply that to the duplicated rule. For other devices though you would need to if you wanted to apply dynamic VLAN or ACL attributes, but if you just want devices to gain network access based on a default VLAN you have configured on the port you can just select the "PermitAccess" profile and you'll be good. You would need to change the condition to match the endpoint group you have configured for the Cisco IP Phones, so you'll probably have to set that to use the group called "Cisco-Device", as that's what it matched according to the authentication log.
Now for the first part of the question, SGT imposition is basically applying a SGT via authorization. In the rule you have two "tags" if you like; Profiles and Security Groups. They're on the right of the rule.
For a rule to allow access you normally only need the Profile to be specified. This tells ISE to send the ACCESS_ACCEPT and any optional authorization-specific attributes to the network device, such as VLAN ID, ACL, etc. You can also optionally send a SGT using the Security Group feature. This applies a type of access-control similar to an ACL that tells the network device what tag to apply to the endpoint. When the endpoint sends a packet, the network device where the endpoint connects (switch or WLC) applies the SGT and a "matrix" within ISE specifies which traffic (based on the SGT applied) is allowed or denied. You create this matrix via the TrustSec Workcentre in ISE.
As an example, if you have printers connected to the network with a SGT applied called PRINTERS, as in your configuration, you could specify via the TrustSec matrix within ISE, that any device with the PRINTERS SGT can only talk to other devices with the PRINTERS SGT. You can have lots of different SGTs for different types of endpoints or users and apply access controls in this way; each endpoint/user has a tag (SGT) and you say what tag can talk to other tags in the matrix. Another example would be if you wanted Admin Workstations to talk to printers. Admin Workstations could have a SGT applied called ADMINPC and the matrix would allow ADMINPC to talk to PRINTERS.
Long and short of it is that SGTs apply traffic restrictions. If you are applying (or imposing) tags to endpoints and users you need to apply them via the authorization rule. The reason I mentioned it is because you appear to be using SGTs, so in your new (duplicated) rule for Cisco IP Phones, you'll need to remove the PRINTERS SGT and apply either nothing, or a SGT specifically for the IP Phones.
Now for the first part of the question, SGT imposition is basically applying a SGT via authorization. In the rule you have two "tags" if you like; Profiles and Security Groups. They're on the right of the rule.
For a rule to allow access you normally only need the Profile to be specified. This tells ISE to send the ACCESS_ACCEPT and any optional authorization-specific attributes to the network device, such as VLAN ID, ACL, etc. You can also optionally send a SGT using the Security Group feature. This applies a type of access-control similar to an ACL that tells the network device what tag to apply to the endpoint. When the endpoint sends a packet, the network device where the endpoint connects (switch or WLC) applies the SGT and a "matrix" within ISE specifies which traffic (based on the SGT applied) is allowed or denied. You create this matrix via the TrustSec Workcentre in ISE.
As an example, if you have printers connected to the network with a SGT applied called PRINTERS, as in your configuration, you could specify via the TrustSec matrix within ISE, that any device with the PRINTERS SGT can only talk to other devices with the PRINTERS SGT. You can have lots of different SGTs for different types of endpoints or users and apply access controls in this way; each endpoint/user has a tag (SGT) and you say what tag can talk to other tags in the matrix. Another example would be if you wanted Admin Workstations to talk to printers. Admin Workstations could have a SGT applied called ADMINPC and the matrix would allow ADMINPC to talk to PRINTERS.
Long and short of it is that SGTs apply traffic restrictions. If you are applying (or imposing) tags to endpoints and users you need to apply them via the authorization rule. The reason I mentioned it is because you appear to be using SGTs, so in your new (duplicated) rule for Cisco IP Phones, you'll need to remove the PRINTERS SGT and apply either nothing, or a SGT specifically for the IP Phones.
-
![]()
received a Solution
cisco amp for endpoints and necessary of antivirus -
![]()
wrote an Article
![]()
HOW TO: Recover a Password on Cisco Devices
-
![]()
created a Video
![]()
The Concerto Difference
-
Explore Cloud Class® ![]()
Certification: CCNP Cisco Certified Network Professional - Troubleshooting and Maintaining Cisco IP Networks
Premium Content
You need an Expert Office subscription to comment.Start Free Trial