Link to home
Start Free TrialLog in
Avatar of Tim__
Tim__

asked on

Cisco ISE version 2.6.0.156 - Rejected Endpoints

Hello, I have a question about Cisco's Identity Services Engine. I have a Cisco phone that is being denied network access.

Endpoint Profile
Cisco-Device

Authentication Failure Reason
15039 Rejected per authorization profile

Authentication Policy
Internal Endpoints

Authorization Policy
Default

Authentication Protocol
Lookup

Would you please let me know how I can grant network access to this device?
Avatar of Craig Beck
Craig Beck
Flag of United Kingdom of Great Britain and Northern Ireland image

You're not matching an authorization profile so you're hitting the default deny.

Could you check the Operations -> Live Log entry for a failed authentication and post a screenshot of the details (click on the magnifying glass).

Also, screenshot your Policy Set rules and post here.
Avatar of Tim__
Tim__

ASKER

Good morning, Mr. Beck. Thank you for your help. The Live Log entry is too large to fit on one screen, so I attached it as a text file. I also attempted to take a screenshot of the Policy Set rules, but I am not sure that I got the correct information.
Policy-Set.png
Live-Log.txt
Thanks, Tim.

Could you open the Wired MAB policy set and screenshot that for me, please? I need to see the authorization policy within that policy set.
Avatar of Tim__

ASKER

I am looking in Policy > Policy Sets, Mr. Beck, but I do not see any way to open the Wired MAB policy set. Would you please let me know how I can expand it?
Avatar of Tim__

ASKER

I just noticed that Internet Explorer was not displaying the entire Web page to me. To see the arrows for opening the Policy Set, I had to browse ISE using the Edge browser. Now that I can see it, it looks like only the printers are being authorized.
Wired-MAB.png
Now that I can see it, it looks like only the printers are being authorized

Correct!

I can see you're also doing SGT imposition on the printers. You can duplicate the rule and change the endpoint identity group to match the Cisco phones, but you may also need to set the Security Group to something other than PRINTERS.
Avatar of Tim__

ASKER

I am sorry. I do not know what you mean by SGT imposition. If I duplicate the rule, I could change the Security Group to IP phones. Would I also have to create a new authorization profile under Results Profiles? And what about the Conditions? Would I have to set the IdentityGroup-Name equal to Cisco_Profile_Phones?
ASKER CERTIFIED SOLUTION
Avatar of Craig Beck
Craig Beck
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Tim__

ASKER

I apologize for the delay, Mr. Beck. That worked. Thank you very much for your help. I appreciate it.