Advanced Networking Scenarios: Authorization failed or unapplied for client

If you have Authorization failed or unapplied for client or Authorization failed for client (depending of the model and SW on the switch), together with Authentication result overridden for client, and immediately after that Authorization succeeded for client , although it says that it succeeded, and in ISE Operations Monitoring for Authentications everything is green, you could still have an issue. On some switches you will have:

*Mar  1 00:48:03.340: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client (0014.e223.ad54) 
on Interface Fa0/12 AuditSessionID 0DF3D9B40111000D00F12AD4
*Mar  1 00:48:03.349: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (0014.e223.ad54) 
on Interface Fa0/12 AuditSessionID 0DF3D9B40111000D00F12AD4
*Mar  1 00:48:04.582: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0014.e223.ad54) 
on Interface Fa0/12 AuditSessionID 0DF3D9B40111000D00F12AD4

On others:

Jan 01 18:17:06.928: %AUTHMGR-5-FAIL: Authorization failed for client (0014.e223.ad54) 
on Interface Fa0/12 AuditSessionID 0DF3D9B40111000D00F12AD4
Jan 01 18:17:06.936: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (0014.e223.ad54) 
on Interface Fa0/12 AuditSessionID 0DF3D9B40111000D00F12AD4
Jan 01 18:17:07.716: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0014.e223.ad54) 
on Interface Fa0/12 AuditSessionID 0DF3D9B40111000D00F12AD4

Switch#show authentication sessions interface f0/12
            Interface:  FastEthernet0/12
          MAC Address:  0014.e223.ad54
           IP Address:  10.10.10.10
            User-Name:  DOMAIN\user01
               Status:  Authz Failed
               Domain:  DATA
      Security Policy:  Should Secure
      Security Status:  Unsecure
       Oper host mode:  multi-auth
     Oper control dir:  both
        Authorized By:  Authentication Server
          Vlan Policy:  N/A
      Session timeout:  N/A
         Idle timeout:  N/A
    Common Session ID:  0DF3D9B40111000D00F12AD4
      Acct Session ID:  0x0000002D
               Handle:  0x8C000035

Runnable methods list:
       Method   State
       dot1x    Authc Success

So you actually have Authc Success, but Status: Authz Failed And also ACL is not applied, and show ip access-lists interface returns nothing:

Switch#show ip access-lists interface F0/12
Switch#

Probable reason is issue with DACL (downloadable access list), web authentication or some other part of authorization profile. You should first check DACL, especially if it is in any way more complicated. Here are examples of DACLs that are fine and how they will be transformed when pushed to the switch:
DACL entry on ISE:

permit tcp any any

on switch will be translated to:

permit tcp host 10.10.10.10 any (15 matches)

DACL entry on ISE:

permit tcp any any eq 22 established

on switch will be translated to:

permit tcp host 10.10.10.10 any eq 22 established

DACL entry on ISE:

permit tcp any eq 22 any established

on switch will be translated to:

permit tcp host 10.10.10.10 eq 22 any established

3 comments:

Unknown17 June 2013 at 04:04
Hi!

thanks for your post.

I do not have DACL on my ACS and some computers are authorize and others not.

Jun 13 07:48:34: %AUTHMGR-5-FAIL: Authorization failed or unapplied for client ...

Can you help me ?

Regards.

Unknown20 May 2016 at 01:40
Use
switch(config)#Authorization failed or unapplied for client
Unknown26 September 2018 at 09:49
If a downloadable ACL is configured for a client on the authentication server, a default port ACL on the connected client switch port must also be configured...
However, if the switch receives an host access policy from the Cisco Secure ACS but the default ACL is not configured, the authorization failure is declared.

Friday, 25 January 2013

Authorization failed or unapplied for client

3 comments: