We help IT Professionals succeed at work.

Cisco ISE version 2.6.0.156 - Rejected Endpoints

Tim__
Tim__ asked
on
Hello, I have a question about Cisco's Identity Services Engine. I have a Cisco phone that is being denied network access.

Endpoint Profile
Cisco-Device

Authentication Failure Reason
15039 Rejected per authorization profile

Authentication Policy
Internal Endpoints

Authorization Policy
Default

Authentication Protocol
Lookup

Would you please let me know how I can grant network access to this device?
Comment
Watch Question

Top Expert 2014

Commented:
You're not matching an authorization profile so you're hitting the default deny.

Could you check the Operations -> Live Log entry for a failed authentication and post a screenshot of the details (click on the magnifying glass).

Also, screenshot your Policy Set rules and post here.

Author

Commented:
Good morning, Mr. Beck. Thank you for your help. The Live Log entry is too large to fit on one screen, so I attached it as a text file. I also attempted to take a screenshot of the Policy Set rules, but I am not sure that I got the correct information.
Policy-Set.png
Live-Log.txt
Top Expert 2014

Commented:
Thanks, Tim.

Could you open the Wired MAB policy set and screenshot that for me, please? I need to see the authorization policy within that policy set.

Author

Commented:
I am looking in Policy > Policy Sets, Mr. Beck, but I do not see any way to open the Wired MAB policy set. Would you please let me know how I can expand it?

Author

Commented:
I just noticed that Internet Explorer was not displaying the entire Web page to me. To see the arrows for opening the Policy Set, I had to browse ISE using the Edge browser. Now that I can see it, it looks like only the printers are being authorized.
Wired-MAB.png
Top Expert 2014

Commented:
Now that I can see it, it looks like only the printers are being authorized

Correct!

I can see you're also doing SGT imposition on the printers. You can duplicate the rule and change the endpoint identity group to match the Cisco phones, but you may also need to set the Security Group to something other than PRINTERS.

Author

Commented:
I am sorry. I do not know what you mean by SGT imposition. If I duplicate the rule, I could change the Security Group to IP phones. Would I also have to create a new authorization profile under Results Profiles? And what about the Conditions? Would I have to set the IdentityGroup-Name equal to Cisco_Profile_Phones?
Top Expert 2014
Commented:
To answer the rule question first, no you won't have to create a new authorization profile. ISE has a profile called "Cisco_IP_Phones" configured out-of-the-box which allows Cisco IP Phones to authorize and hit the Voice VLAN on the switch. You just need to apply that to the duplicated rule. For other devices though you would need to if you wanted to apply dynamic VLAN or ACL attributes, but if you just want devices to gain network access based on a default VLAN you have configured on the port you can just select the "PermitAccess" profile and you'll be good. You would need to change the condition to match the endpoint group you have configured for the Cisco IP Phones, so you'll probably have to set that to use the group called "Cisco-Device", as that's what it matched according to the authentication log.

Now for the first part of the question, SGT imposition is basically applying a SGT via authorization. In the rule you have two "tags" if you like; Profiles and Security Groups. They're on the right of the rule.

For a rule to allow access you normally only need the Profile to be specified. This tells ISE to send the ACCESS_ACCEPT and any optional authorization-specific attributes to the network device, such as VLAN ID, ACL, etc. You can also optionally send a SGT using the Security Group feature. This applies a type of access-control similar to an ACL that tells the network device what tag to apply to the endpoint. When the endpoint sends a packet, the network device where the endpoint connects (switch or WLC) applies the SGT and a "matrix" within ISE specifies which traffic (based on the SGT applied) is allowed or denied. You create this matrix via the TrustSec Workcentre in ISE.

As an example, if you have printers connected to the network with a SGT applied called PRINTERS, as in your configuration, you could specify via the TrustSec matrix within ISE, that any device with the PRINTERS SGT can only talk to other devices with the PRINTERS SGT. You can have lots of different SGTs for different types of endpoints or users and apply access controls in this way; each endpoint/user has a tag (SGT) and you say what tag can talk to other tags in the matrix. Another example would be if you wanted Admin Workstations to talk to printers. Admin Workstations could have a SGT applied called ADMINPC and the matrix would allow ADMINPC to talk to PRINTERS.

Long and short of it is that SGTs apply traffic restrictions. If you are applying (or imposing) tags to endpoints and users you need to apply them via the authorization rule. The reason I mentioned it is because you appear to be using SGTs, so in your new (duplicated) rule for Cisco IP Phones, you'll need to remove the PRINTERS SGT and apply either nothing, or a SGT specifically for the IP Phones.

Author

Commented:
I apologize for the delay, Mr. Beck. That worked. Thank you very much for your help. I appreciate it.