[c-nsp] ACS 5.2 authorization issue
Ulrik Ivers
ulrik.ivers at excanto.se
Mon Jun 23 08:04:36 EDT 2014
Hi,
1. Check the name of the group in AD. Look for spaces or non-ASCII characters in the name.
2. Check the names of ALL groups the user is a member of in the same way as 1.
This might me a long shot, but things like this have been root cause for me in similar cases (not with ACS 5.2 though, never used that product).
/Ulrik
-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Murat Kaipov
Sent: den 23 juni 2014 11:07
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] ACS 5.2 authorization issue
Hello Guys.
I have little issue with authorization on ACS 5.2 for network access.
Radius status: Authentication failed :
<https://172.24.25.6/avreports/servlet/GenericRedirector?command=submit&__re
questtype=immediate&invokeSubmit=true&__executableName=%2Fhome%2Facsadmin%2F
Failure_Reason%2FAuthentication_Failure_Code_Lookup.rptdesign&rptFailureReas
on=15039+Selected+Authorization+Profile+is+DenyAccess&__locale=en_US&iportal
ID=TKNENRBYE&__masterpage=false&__newWindow=false> 15039 Selected Authorization Profile is DenyAccess
For some reason some peoples can authorize and get access to network, others can't. ACS have access to Active Directory host, this issue occur only with one group in AD.
I have log from ACS.
11001 Received RADIUS Access-Request
11017 RADIUS created a new session
Evaluating Service Selection Policy
15004 Matched rule
15012 Selected Access Service - Network Access
11507 Extracted EAP-Response/Identity
12700 Prepared EAP-Request proposing LEAP with challenge.
11006 Returned RADIUS Access-Challenge
11001 Received RADIUS Access-Request
11018 RADIUS is re-using an existing session
12702 Extracted EAP-Response containing LEAP challenge-response and accepting LEAP as negotiated.
Evaluating Identity Policy
15006 Matched Default Rule
15013 Selected Identity Store - AD1
24430 Authenticating user against Active Directory
24416 User's Groups retrieval from Active Directory succeeded
24402 User authentication against Active Directory succeeded
22037 Authentication Passed
Evaluating Group Mapping Policy
Evaluating Exception Authorization Policy
15042 No rule was matched
Evaluating Authorization Policy
15006 Matched Default Rule
15016 Selected Authorization Profile - DenyAccess
15039 Selected Authorization Profile is DenyAccess
12706 LEAP authentication failed; Finishing protocol.
11504 Prepared EAP-Failure
11003 Returned RADIUS Access-Reject
__________________________________________________________________
B.R. Murat Kaipov
e-mail: <mailto:mkkaipov at gmail.com> mkkaipov at gmail.com
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list