[c-nsp] ACS 5.2 authorization issue

Ben Daifa bendaifa at gmail.com
Mon Jun 23 16:29:03 EDT 2014 

프ㅠ푸
---------- Message transféré ----------M
De : "Murat Kaipov" <mkkaipo
Kv at gmail.com>
Date : 23 juin 2014 10:11
Objet : [c-nsp] ACS 5.2 authorization issue
À : <cisco-nsp at puck.nether.net>

Hello Guys.

I have little issue with authorization on ACS 5.2 for network access.

Radius status: Authentication failed :
<https://172.24.25.6/avreports/servlet/GenericRedirector?command=submit&__re
questtype=immediate&invokeSubmit=true&__executableName=%2Fhome%2Facsadmin%2F
Failure_Reason%2FAuthentication_Failure_Code_Lookup.rptdesign&rptFailureReas
on=15039+Selected+Authorization+Profile+is+DenyAccess&__locale=en_US&iportal
ID=TKNENRBYE&__masterpage=false&__newWindow=false> 15039 Selected
Authorization Profile is DenyAccess

For some reason some peoples can authorize and get access to network, others
can't. ACS have access to Active Directory host, this issue occur only with
one group in AD.

I have log from ACS.


11001  Received RADIUS Access-Request

11017  RADIUS created a new session

Evaluating Service Selection Policy

15004  Matched rule

15012  Selected Access Service - Network Access

11507  Extracted EAP-Response/Identity

12700  Prepared EAP-Request proposing LEAP with challenge.

11006  Returned RADIUS Access-Challenge

11001  Received RADIUS Access-Request

11018  RADIUS is re-using an existing session

12702  Extracted EAP-Response containing LEAP challenge-response and
accepting LEAP as negotiated.

Evaluating Identity Policy

15006  Matched Default Rule

15013  Selected Identity Store - AD1

24430  Authenticating user against Active Directory

24416  User's Groups retrieval from Active Directory succeeded

24402  User authentication against Active Directory succeeded

22037  Authentication Passed

Evaluating Group Mapping Policy

Evaluating Exception Authorization Policy

15042  No rule was matched

Evaluating Authorization Policy

15006  Matched Default Rule

15016  Selected Authorization Profile - DenyAccess

15039  Selected Authorization Profile is DenyAccess

12706  LEAP authentication failed; Finishing protocol.

11504  Prepared EAP-Failure

11003  Returned RADIUS Access-Reject





__________________________________________________________________

B.R. Murat Kaipov

e-mail:  <mailto:mkkaipov at gmail.com> mkkaipov at gmail.com



_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list