[c-nsp] ACS 5.2 authorization issue

Murat Kaipov mkkaipov at gmail.com
Mon Jun 23 09:33:02 EDT 2014


Hello Ulrik,
Thank you for advice. But in my case this this group work's well until
Friday. Than my colleges change authorization profile in Access Policies and
this issue occur. We rollback changes but it's doesn't help us.


__________________________________________________________________
B.R. Murat Kaipov

e-mail:  <mailto:mkkaipov at gmail.com> mkkaipov at gmail.com

-----Original Message-----
From: Ulrik Ivers [mailto:ulrik.ivers at excanto.se] 
Sent: Monday, June 23, 2014 4:05 PM
To: Murat Kaipov
Cc: cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] ACS 5.2 authorization issue

Hi,

1. Check the name of the group in AD. Look for spaces or non-ASCII
characters in the name.
2. Check the names of ALL groups the user is a member of in the same way as
1.

This might me a long shot, but things like this have been root cause for me
in similar cases (not with ACS 5.2 though, never used that product). 

/Ulrik

-----Original Message-----
From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
Murat Kaipov
Sent: den 23 juni 2014 11:07
To: cisco-nsp at puck.nether.net
Subject: [c-nsp] ACS 5.2 authorization issue

Hello Guys.

I have little issue with authorization on ACS 5.2 for network access. 

Radius status: Authentication failed :
<https://172.24.25.6/avreports/servlet/GenericRedirector?command=submit&__re
questtype=immediate&invokeSubmit=true&__executableName=%2Fhome%2Facsadmin%2F
Failure_Reason%2FAuthentication_Failure_Code_Lookup.rptdesign&rptFailureReas
on=15039+Selected+Authorization+Profile+is+DenyAccess&__locale=en_US&iportal
ID=TKNENRBYE&__masterpage=false&__newWindow=false> 15039 Selected
Authorization Profile is DenyAccess

For some reason some peoples can authorize and get access to network, others
can't. ACS have access to Active Directory host, this issue occur only with
one group in AD.

I have log from ACS.

 


11001  Received RADIUS Access-Request


11017  RADIUS created a new session


Evaluating Service Selection Policy


15004  Matched rule


15012  Selected Access Service - Network Access


11507  Extracted EAP-Response/Identity


12700  Prepared EAP-Request proposing LEAP with challenge.


11006  Returned RADIUS Access-Challenge


11001  Received RADIUS Access-Request


11018  RADIUS is re-using an existing session


12702  Extracted EAP-Response containing LEAP challenge-response and
accepting LEAP as negotiated.


Evaluating Identity Policy


15006  Matched Default Rule


15013  Selected Identity Store - AD1


24430  Authenticating user against Active Directory


24416  User's Groups retrieval from Active Directory succeeded


24402  User authentication against Active Directory succeeded


22037  Authentication Passed


Evaluating Group Mapping Policy


Evaluating Exception Authorization Policy


15042  No rule was matched


Evaluating Authorization Policy


15006  Matched Default Rule


15016  Selected Authorization Profile - DenyAccess


15039  Selected Authorization Profile is DenyAccess


12706  LEAP authentication failed; Finishing protocol.


11504  Prepared EAP-Failure


11003  Returned RADIUS Access-Reject

 

 

 

__________________________________________________________________

B.R. Murat Kaipov

e-mail:  <mailto:mkkaipov at gmail.com> mkkaipov at gmail.com



 

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list