13036 Selected Shell Profile is DenyAccess

Wendols · ‎06-17-2018

Hello All

after a fresh migration of ACS 5.7 to ISE 2.3 I encounter a problem of managing my equipment with TACACS +
my ISE 2.3 is well integerer in AD, the groups are there, I can do a test of the users with success, but when try to authenticate on a equipment which uses my ISE like server authentication with AD like source identity I receive message "13036 Selected Shell Profile is DenyAccess", but when I use internals users with the same rules, everything is fine

Thanks

Rob Ingram · ‎06-17-2018

Hi,

What conditions are you using in your authorization rules for AD users? Can you please post a screenshot of your authorization rules?

Wendols · ‎06-17-2018

@Rob Ingram

you can find the print screen of authorizations used

Rob Ingram · ‎06-17-2018

Thanks, Could the issue be with the other conditions you've applied in your rules? If you temporarily remove the other conditions DEVICE & Network Access Protocol does the session match the correct rule?

Can you also provide a screenshot of the authorization log.

Wendols · ‎06-17-2018

@Rob Ingram

Steps

	13013	Received TACACS+ Authentication START Request - AD1
	15049	Evaluating Policy Group - My.user
	15008	Evaluating Service Selection Policy - my.domain.com
	15048	Queried PIP - my.domain.com
	15048	Queried PIP - DEVICE.Device Type
	15041	Evaluating Identity Policy - my.domain.com
	22072	Selected identity source sequence - AD1
	15013	Selected Identity Source - AD1
	13045	TACACS+ will use the password prompt from global TACACS+ configuration
	13015	Returned TACACS+ Authentication Reply
	13014	Received TACACS+ Authentication CONTINUE Request ( Step latency=5596ms)
	15041	Evaluating Identity Policy
	22072	Selected identity source sequence - identity_tacacs
	15013	Selected Identity Source - AD1
	24430	Authenticating user against Active Directory - AD1
	24325	Resolving identity - My.user
	24313	Search for matching accounts at join point - my.domain.com
	24319	Single matching account found in forest - my.domain.com
	24323	Identity resolution detected single matching account
	24343	RPC Logon request succeeded - My.user@my.domain.com
	24402	User authentication against Active Directory succeeded - AD1
	22037	Authentication Passed
	15036	Evaluating Authorization Policy
	24432	Looking up user in Active Directory
	24325	Resolving identity
	24313	Search for matching accounts at join point
	24319	Single matching account found in forest
	24323	Identity resolution detected single matching account
	24355	LDAP fetch succeeded
	24416	User's Groups retrieval from Active Directory succeeded
	15048	Queried PIP - AD1.ExternalGroups (2 times)
	13036	Selected Shell Profile is DenyAccess
	13015	Returned TACACS+ Authentication Reply

ithq783ds3 · ‎06-22-2018

is there any answer

Rob Ingram · ‎06-22-2018

Did you try removing the other conditions as mentioned previously? and then trying again?

The rest of the authorization log (on the left handside of the page) would confirm whether that user was actually in the Administrateurs groups. All I can tell from the logs above is the user was successfully authentication and AD group retrieval from AD.

ajc · ‎06-25-2018

I am talking to Cisco BU about this INCORRECT error message. I migrated my ACS 5.7 to ISE 2.3, experienced the same problem but I realized it had nothing to do with shell profile or similar.

One of the conditions in the AUTHZ Policy was not matched and I got the same Shell Profile Error. So like RJI said, check if your matching ALL the conditions of the corresponding AUTHZ policy.

thanks