I’ve ran into this a couple of times before. Wired authentications and authorizations look like they are working after looking at the ISE/ACS logs but the clients don’t have access to the network. When show authentication sessions interface… (or show access-session interface…) is ran on the switch CLI, it will show Dot1x or MAB with Authc Success but the status is Authz Failed.
What exactly does that mean? Authc Success means that the authentication method (Dot1x or MAB) was successful. No problems there. Authz Failed means that the authorization was not successful. It’s like going to the club, the bouncer says “I know you! You’re allowed in!”, but then doesn’t open the door because he doesn’t know where you’re allowed to go.
The main causes of this issue I’ve found are:
Bad downloadable ACL (dACL) formatting
The very first time I ran into this issue was when a customer called up after creating a new downloadable ACL (dACL). They swore that they verified the ACL using the built in tool. When I checked the dACL, I saw they had put permit any any eq 443 instead of permit tcp any any eq 443. The switch was rejecting the dACL due to the bad formatting. Once we corrected the dACL, authorizations started working properly.
Bad AAA config
This one I saw recently. A new switch was deployed and a template was supposed to be applied for all of the AAA configuration (global and port level). Every device was successfully authenticating but could not access any network resources. We checked the dACLs even though I didn’t suspect that was an issue since it was working on other switches. The next step was checking the switch config. After running the command show running-config | section aaa, the cause of the issue was found. The aaa authorization network default group was configured with the local command instead of radius (or the RADIUS server group name). Everything started working properly after setting it to aaa authorization network default group radius.
I’ll update this post if I run into more causes of this issue.