[c-nsp] ACS 5.2 authorization issue

Ulrik Ivers ulrik.ivers at excanto.se
Mon Jun 23 08:04:36 EDT 2014 

Hi,

1. Check the name of the group in AD. Look for spaces or non-ASCII characters in the name.
2. Check the names of ALL groups the user is a member of in the same way as 1.

This might me a long shot, but things like this have been root cause for me in similar cases (not with ACS 5.2 though, never used that product). 

/Ulrik

-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Murat Kaipov
Sent: den 23 juni 2014 11:07
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] ACS 5.2 authorization issue

Hello Guys.

I have little issue with authorization on ACS 5.2 for network access. 

Radius status: Authentication failed :
<https://172.24.25.6/avreports/servlet/GenericRedirector?command=submit&__re
questtype=immediate&invokeSubmit=true&__executableName=%2Fhome%2Facsadmin%2F
Failure_Reason%2FAuthentication_Failure_Code_Lookup.rptdesign&rptFailureReas
on=15039+Selected+Authorization+Profile+is+DenyAccess&__locale=en_US&iportal
ID=TKNENRBYE&__masterpage=false&__newWindow=false> 15039 Selected Authorization Profile is DenyAccess

For some reason some peoples can authorize and get access to network, others can't. ACS have access to Active Directory host, this issue occur only with one group in AD.

I have log from ACS.

 


11001  Received RADIUS Access-Request


11017  RADIUS created a new session


Evaluating Service Selection Policy


15004  Matched rule


15012  Selected Access Service - Network Access


11507  Extracted EAP-Response/Identity


12700  Prepared EAP-Request proposing LEAP with challenge.


11006  Returned RADIUS Access-Challenge


11001  Received RADIUS Access-Request


11018  RADIUS is re-using an existing session


12702  Extracted EAP-Response containing LEAP challenge-response and accepting LEAP as negotiated.


Evaluating Identity Policy


15006  Matched Default Rule


15013  Selected Identity Store - AD1


24430  Authenticating user against Active Directory


24416  User's Groups retrieval from Active Directory succeeded


24402  User authentication against Active Directory succeeded


22037  Authentication Passed


Evaluating Group Mapping Policy


Evaluating Exception Authorization Policy


15042  No rule was matched


Evaluating Authorization Policy


15006  Matched Default Rule


15016  Selected Authorization Profile - DenyAccess


15039  Selected Authorization Profile is DenyAccess


12706  LEAP authentication failed; Finishing protocol.


11504  Prepared EAP-Failure


11003  Returned RADIUS Access-Reject

 

 

 

__________________________________________________________________

B.R. Murat Kaipov

e-mail:  <mailto:mkkaipov at gmail.com> mkkaipov at gmail.com



 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list