Wired Authc Success but Authz Failed?

I’ve ran into this a couple of times before. Wired authentications and authorizations look like they are working after looking at the ISE/ACS logs but the clients don’t have access to the network. When show authentication sessions interface… (or show access-session interface…) is ran on the switch CLI, it will show Dot1x or MAB with Authc Success but the status is Authz Failed.

What exactly does that mean? Authc Success means that the authentication method (Dot1x or MAB) was successful. No problems there. Authz Failed means that the authorization was not successful. It’s like going to the club, the bouncer says “I know you! You’re allowed in!”, but then doesn’t open the door because he doesn’t know where you’re allowed to go.

The main causes of this issue I’ve found are:

Bad downloadable ACL (dACL) formatting

The very first time I ran into this issue was when a customer called up after creating a new downloadable ACL (dACL). They swore that they verified the ACL using the built in tool. When I checked the dACL, I saw they had put permit any any eq 443 instead of permit tcp any any eq 443. The switch was rejecting the dACL due to the bad formatting. Once we corrected the dACL, authorizations started working properly.

Bad AAA config

This one I saw recently. A new switch was deployed and a template was supposed to be applied for all of the AAA configuration (global and port level). Every device was successfully authenticating but could not access any network resources. We checked the dACLs even though I didn’t suspect that was an issue since it was working on other switches. The next step was checking the switch config. After running the command show running-config | section aaa, the cause of the issue was found. The aaa authorization network default group was configured with the local command instead of radius (or the RADIUS server group name). Everything started working properly after setting it to aaa authorization network default group radius.

I’ll update this post if I run into more causes of this issue.

Share this post:

2 comments / Add your comment below

  1. Good post — this “Authz failed” is often a confuser for purveyors of ISE. 🙂

    Another big one I run into often is the voice and data VLAN matching on the port. While this isn’t standard practice, I often come across ports configured this way because of weird behavior with some types of phones not being consistent with which VLAN domain they want to use.

    Without authentication configured, this isn’t a problem; however, it will cause authorization to fail when authorization is attempted. In more recent IOS version, it will show a descriptive log event in your log. Previously, you were left guessing!

  2. Hi, had same issue where ‘radius-server vsa send authentication’ was missing on the switch so dACL hasn’t been applied. It showed Authz faild on switch port while ISE showed success.

Leave a Reply

Your email address will not be published. Required fields are marked *