https://community.cisco.com/t5/network-access-control/authentication-rejected-with-openotp-token-server/m-p/3435783#M536648 <HTML><HEAD></HEAD><BODY><P>If this is a standalone ISE, try restarting ISE services. If a secondary ISE nodes, try a manual re-sync.</P></BODY></HTML> Wed, 28 Dec 2016 19:33:36 GMT hslai 2016-12-28T19:33:36Z https://community.cisco.com/t5/network-access-control/authentication-rejected-with-openotp-token-server/m-p/3435780#M536644 <HTML><HEAD></HEAD><BODY><P>Configured ASA VPN access with OpenOTP as the token server.&nbsp; Running an authentication test and getting Deny Access result.&nbsp; Reason is defined as "Rejected per authorization profile"&nbsp; Per OTP logs and ISE authentication,&nbsp; user authentication is successful.&nbsp; Using Policy Sets. Authorization policy has no Deny Access statement in it.&nbsp; First rule is a Permit access with no conditions.&nbsp; The default rule is Permit access.&nbsp; Appears to be failing before hitting the authorization table even though authentication succeeds.&nbsp; ISE 2.1 patch 2. <IMG alt="Screen Shot 2016-12-26 at 10.20.03 AM.png" class="image-1 jive-image" src="/legacyfs/online/fusion/103432_Screen Shot 2016-12-26 at 10.20.03 AM.png" style="height: 388px; width: 620px;" /></P><P><IMG alt="Screen Shot 2016-12-26 at 10.24.19 AM.png" class="jive-image image-2" src="/legacyfs/online/fusion/103442_Screen Shot 2016-12-26 at 10.24.19 AM.png" style="height: 388px; width: 620px;" /></P></BODY></HTML> Mon, 26 Dec 2016 16:26:40 GMT https://community.cisco.com/t5/network-access-control/authentication-rejected-with-openotp-token-server/m-p/3435780#M536644 scamarda 2016-12-26T16:26:40Z https://community.cisco.com/t5/network-access-control/authentication-rejected-with-openotp-token-server/m-p/3435781#M536646 <HTML><HEAD></HEAD><BODY><P>Can you share the live log details?</P><P></P><P>Warning: I either dictated this to my device, or typed it with my thumbs. Erroneous words are a feature, not a typo.</P></BODY></HTML> Tue, 27 Dec 2016 06:38:35 GMT https://community.cisco.com/t5/network-access-control/authentication-rejected-with-openotp-token-server/m-p/3435781#M536646 gbekmezi-DD 2016-12-27T06:38:35Z https://community.cisco.com/t5/network-access-control/authentication-rejected-with-openotp-token-server/m-p/3435782#M536647 <HTML><HEAD></HEAD><BODY><P><IMG alt="Authc Failure Entire Page.png" class="image-1 jive-image" src="/legacyfs/online/fusion/103443_Authc Failure Entire Page.png" style="height: 972px; width: 620px;" /></P></BODY></HTML> Tue, 27 Dec 2016 14:16:46 GMT https://community.cisco.com/t5/network-access-control/authentication-rejected-with-openotp-token-server/m-p/3435782#M536647 scamarda 2016-12-27T14:16:46Z https://community.cisco.com/t5/network-access-control/authentication-rejected-with-openotp-token-server/m-p/3435783#M536648 <HTML><HEAD></HEAD><BODY><P>If this is a standalone ISE, try restarting ISE services. If a secondary ISE nodes, try a manual re-sync.</P></BODY></HTML> Wed, 28 Dec 2016 19:33:36 GMT https://community.cisco.com/t5/network-access-control/authentication-rejected-with-openotp-token-server/m-p/3435783#M536648 hslai 2016-12-28T19:33:36Z https://community.cisco.com/t5/network-access-control/authentication-rejected-with-openotp-token-server/m-p/3435784#M536649 <HTML><HEAD></HEAD><BODY><P>The deployment is two nodes.&nbsp; I've gone ahead and resynced and restarted.&nbsp; Still same result.&nbsp; Session is coming up as Denied even though I have everything set to permit.&nbsp;&nbsp; Happening on both nodes.</P></BODY></HTML> Tue, 03 Jan 2017 14:35:35 GMT https://community.cisco.com/t5/network-access-control/authentication-rejected-with-openotp-token-server/m-p/3435784#M536649 scamarda 2017-01-03T14:35:35Z