Avatar of Tim__
 asked on

Cisco ISE version - Rejected Endpoints

Hello, I have a question about Cisco's Identity Services Engine. I have a Cisco phone that is being denied network access.

Endpoint Profile

Authentication Failure Reason
15039 Rejected per authorization profile

Authentication Policy
Internal Endpoints

Authorization Policy

Authentication Protocol

Would you please let me know how I can grant network access to this device?
Cisco* 802.1xNetworking

Avatar of undefined
Last Comment

8/22/2022 - Mon
Craig Beck

You're not matching an authorization profile so you're hitting the default deny.

Could you check the Operations -> Live Log entry for a failed authentication and post a screenshot of the details (click on the magnifying glass).

Also, screenshot your Policy Set rules and post here.

Good morning, Mr. Beck. Thank you for your help. The Live Log entry is too large to fit on one screen, so I attached it as a text file. I also attempted to take a screenshot of the Policy Set rules, but I am not sure that I got the correct information.
Craig Beck

Thanks, Tim.

Could you open the Wired MAB policy set and screenshot that for me, please? I need to see the authorization policy within that policy set.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck

I am looking in Policy > Policy Sets, Mr. Beck, but I do not see any way to open the Wired MAB policy set. Would you please let me know how I can expand it?

I just noticed that Internet Explorer was not displaying the entire Web page to me. To see the arrows for opening the Policy Set, I had to browse ISE using the Edge browser. Now that I can see it, it looks like only the printers are being authorized.
Craig Beck

Now that I can see it, it looks like only the printers are being authorized


I can see you're also doing SGT imposition on the printers. You can duplicate the rule and change the endpoint identity group to match the Cisco phones, but you may also need to set the Security Group to something other than PRINTERS.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.

I am sorry. I do not know what you mean by SGT imposition. If I duplicate the rule, I could change the Security Group to IP phones. Would I also have to create a new authorization profile under Results Profiles? And what about the Conditions? Would I have to set the IdentityGroup-Name equal to Cisco_Profile_Phones?
Craig Beck

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question

I apologize for the delay, Mr. Beck. That worked. Thank you very much for your help. I appreciate it.