[c-nsp] ACS 5.2 authorization issue

Javier Henderson (javier) javier at cisco.com
Mon Jun 23 09:06:45 EDT 2014 

Murat,

It looks like for that authorization attempt, no authorization rules were matched and the default action was set to deny authorization.

Bring up the details of one of the failed attempts, and see if you can find why the user won’t match the expected rule. If you need help with this please open a case with us (Cisco TAC) and we’ll be happy to take a look.

Javier Henderson
javier at cisco.com

> On Jun 23, 2014, at 5:07 AM, Murat Kaipov <mkkaipov at gmail.com> wrote:
> 
> Hello Guys.
> 
> I have little issue with authorization on ACS 5.2 for network access. 
> 
> Radius status: Authentication failed :
> <https://172.24.25.6/avreports/servlet/GenericRedirector?command=submit&__re
> questtype=immediate&invokeSubmit=true&__executableName=%2Fhome%2Facsadmin%2F
> Failure_Reason%2FAuthentication_Failure_Code_Lookup.rptdesign&rptFailureReas
> on=15039+Selected+Authorization+Profile+is+DenyAccess&__locale=en_US&iportal
> ID=TKNENRBYE&__masterpage=false&__newWindow=false> 15039 Selected
> Authorization Profile is DenyAccess
> 
> For some reason some peoples can authorize and get access to network, others
> can't. ACS have access to Active Directory host, this issue occur only with
> one group in AD.
> 
> I have log from ACS.
> 
> 
> 
> 
> 11001  Received RADIUS Access-Request
> 
> 
> 11017  RADIUS created a new session
> 
> 
> Evaluating Service Selection Policy
> 
> 
> 15004  Matched rule
> 
> 
> 15012  Selected Access Service - Network Access
> 
> 
> 11507  Extracted EAP-Response/Identity
> 
> 
> 12700  Prepared EAP-Request proposing LEAP with challenge.
> 
> 
> 11006  Returned RADIUS Access-Challenge
> 
> 
> 11001  Received RADIUS Access-Request
> 
> 
> 11018  RADIUS is re-using an existing session
> 
> 
> 12702  Extracted EAP-Response containing LEAP challenge-response and
> accepting LEAP as negotiated.
> 
> 
> Evaluating Identity Policy
> 
> 
> 15006  Matched Default Rule
> 
> 
> 15013  Selected Identity Store - AD1
> 
> 
> 24430  Authenticating user against Active Directory
> 
> 
> 24416  User's Groups retrieval from Active Directory succeeded
> 
> 
> 24402  User authentication against Active Directory succeeded
> 
> 
> 22037  Authentication Passed
> 
> 
> Evaluating Group Mapping Policy
> 
> 
> Evaluating Exception Authorization Policy
> 
> 
> 15042  No rule was matched
> 
> 
> Evaluating Authorization Policy
> 
> 
> 15006  Matched Default Rule
> 
> 
> 15016  Selected Authorization Profile - DenyAccess
> 
> 
> 15039  Selected Authorization Profile is DenyAccess
> 
> 
> 12706  LEAP authentication failed; Finishing protocol.
> 
> 
> 11504  Prepared EAP-Failure
> 
> 
> 11003  Returned RADIUS Access-Reject
> 
> 
> 
> 
> 
> 
> 
> __________________________________________________________________
> 
> B.R. Murat Kaipov
> 
> e-mail:  <mailto:mkkaipov at gmail.com> mkkaipov at gmail.com
> 
> 
> 
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

Javier Henderson
javier at cisco.com
+1 919 574 5032

More information about the cisco-nsp mailing list