https://community.cisco.com/t5/network-security/why-acs-ignore-new-network-access-authorization-policy/m-p/2671305#M919191 <P>I feel quite strange why ACS ignore my newly added authorization policy for vpn access. The ACS has been fully associated with Microsoft AD. I created the policy in the following steps:</P><P>1. Create AD group for VPN login on Microsoft AD.</P><P>2. Assign users to the new AD group. Users only belong to the new AD group and no relationship with other VPN group.</P><P>3. Select the newly added AD group into ACS with 'Active Directory'-&gt; 'Directory Groups'</P><P>4. Greate Authorization Profile for the new VPN authorization policy in 'Policy Elements'-&gt;'Authorization and Permission'-&gt;'Network Access'-&gt;'Authorization Profile'.</P><P>5. Create network access authorization policy in 'Access Policies'-&gt; 'Access Services'-&gt;'Default Network Access'-&gt;'Authorization'. Clicking new and select 'Contains any' in the new VPN group and select the newly added authorization profile in step 4.</P><P>6. Save the changes.</P><P>7. Configure Cisco Firewall to listen the VPN connect request and authentication in Radius.</P><P>When I test the vpn connection, I found that there is no way when I enter correct username and password, the vpnclient always deny and prompt again and again.</P><P>I checked on the ACS log and found that ACS success the AD authentication but fail to find an Authorization Policy so it choose default deny access policy.</P><P>I am an newer to Cisco ACS, I don't have much idea on solve it, Could you help me? Thanks.</P><TABLE _eventid="369" id="S2"><TBODY><TR align="left" style="BORDER-BOTTOM: rgb(132,153,162) thin; BORDER-LEFT: rgb(132,153,162) thin solid; PADDING-BOTTOM: 1pt; PADDING-LEFT: 2pt; PADDING-RIGHT: 2pt; COLOR: rgb(0,0,0); BORDER-TOP: rgb(132,153,162) thin; FONT-WEIGHT: normal; BORDER-RIGHT: rgb(132,153,162) thin solid; PADDING-TOP: 1pt" valign="center"><TD style="PADDING-BOTTOM: 2pt; PADDING-LEFT: 4pt; PADDING-RIGHT: 4pt; PADDING-TOP: 2pt" valign="center"><DIV style="MARGIN-TOP: 0pt">11001 &nbsp;Received RADIUS Access-Request</DIV></TD></TR><TR align="left" style="BORDER-BOTTOM: rgb(132,153,162) thin; BORDER-LEFT: rgb(132,153,162) thin solid; PADDING-BOTTOM: 1pt; PADDING-LEFT: 2pt; PADDING-RIGHT: 2pt; COLOR: rgb(0,0,0); BORDER-TOP: rgb(132,153,162) thin; FONT-WEIGHT: normal; BORDER-RIGHT: rgb(132,153,162) thin solid; PADDING-TOP: 1pt" valign="center"><TD style="PADDING-BOTTOM: 2pt; PADDING-LEFT: 4pt; PADDING-RIGHT: 4pt; PADDING-TOP: 2pt" valign="center"><DIV style="MARGIN-TOP: 0pt">11017 &nbsp;RADIUS created a new session</DIV></TD></TR><TR align="left" style="BORDER-BOTTOM: rgb(132,153,162) thin; BORDER-LEFT: rgb(132,153,162) thin solid; PADDING-BOTTOM: 1pt; BACKGROUND-COLOR: rgb(217,227,233); FONT-STYLE: normal; PADDING-LEFT: 2pt; PADDING-RIGHT: 2pt; COLOR: rgb(0,0,0); BORDER-TOP: rgb(132,153,162) thin; FONT-WEIGHT: normal; BORDER-RIGHT: rgb(132,153,162) thin solid; TEXT-DECORATION: underline; PADDING-TOP: 1pt" valign="center"><TD style="PADDING-BOTTOM: 2pt; PADDING-LEFT: 4pt; PADDING-RIGHT: 4pt; PADDING-TOP: 2pt" valign="center"><DIV style="MARGIN-TOP: 0pt">Evaluating Service Selection Policy</DIV></TD></TR><TR align="left" style="BORDER-BOTTOM: rgb(132,153,162) thin; BORDER-LEFT: rgb(132,153,162) thin solid; PADDING-BOTTOM: 1pt; PADDING-LEFT: 2pt; PADDING-RIGHT: 2pt; COLOR: rgb(0,0,0); BORDER-TOP: rgb(132,153,162) thin; FONT-WEIGHT: normal; BORDER-RIGHT: rgb(132,153,162) thin solid; PADDING-TOP: 1pt" valign="center"><TD style="PADDING-BOTTOM: 2pt; PADDING-LEFT: 4pt; PADDING-RIGHT: 4pt; PADDING-TOP: 2pt" valign="center"><DIV style="MARGIN-TOP: 0pt">15004 &nbsp;Matched rule</DIV></TD></TR><TR align="left" style="BORDER-BOTTOM: rgb(132,153,162) thin; BORDER-LEFT: rgb(132,153,162) thin solid; PADDING-BOTTOM: 1pt; PADDING-LEFT: 2pt; PADDING-RIGHT: 2pt; COLOR: rgb(0,0,0); BORDER-TOP: rgb(132,153,162) thin; FONT-WEIGHT: normal; BORDER-RIGHT: rgb(132,153,162) thin solid; PADDING-TOP: 1pt" valign="center"><TD style="PADDING-BOTTOM: 2pt; PADDING-LEFT: 4pt; PADDING-RIGHT: 4pt; PADDING-TOP: 2pt" valign="center"><DIV style="MARGIN-TOP: 0pt">15012 &nbsp;Selected Access Service - VPN ACCESS</DIV></TD></TR><TR align="left" style="BORDER-BOTTOM: rgb(132,153,162) thin; BORDER-LEFT: rgb(132,153,162) thin solid; PADDING-BOTTOM: 1pt; BACKGROUND-COLOR: rgb(217,227,233); FONT-STYLE: normal; PADDING-LEFT: 2pt; PADDING-RIGHT: 2pt; COLOR: rgb(0,0,0); BORDER-TOP: rgb(132,153,162) thin; FONT-WEIGHT: normal; BORDER-RIGHT: rgb(132,153,162) thin solid; TEXT-DECORATION: underline; PADDING-TOP: 1pt" valign="center"><TD style="PADDING-BOTTOM: 2pt; PADDING-LEFT: 4pt; PADDING-RIGHT: 4pt; PADDING-TOP: 2pt" valign="center"><DIV style="MARGIN-TOP: 0pt">Evaluating Identity Policy</DIV></TD></TR><TR align="left" style="BORDER-BOTTOM: rgb(132,153,162) thin; BORDER-LEFT: rgb(132,153,162) thin solid; PADDING-BOTTOM: 1pt; PADDING-LEFT: 2pt; PADDING-RIGHT: 2pt; COLOR: rgb(0,0,0); BORDER-TOP: rgb(132,153,162) thin; FONT-WEIGHT: normal; BORDER-RIGHT: rgb(132,153,162) thin solid; PADDING-TOP: 1pt" valign="center"><TD style="PADDING-BOTTOM: 2pt; PADDING-LEFT: 4pt; PADDING-RIGHT: 4pt; PADDING-TOP: 2pt" valign="center"><DIV style="MARGIN-TOP: 0pt">15006 &nbsp;Matched Default Rule</DIV></TD></TR><TR align="left" style="BORDER-BOTTOM: rgb(132,153,162) thin; BORDER-LEFT: rgb(132,153,162) thin solid; PADDING-BOTTOM: 1pt; PADDING-LEFT: 2pt; PADDING-RIGHT: 2pt; COLOR: rgb(0,0,0); BORDER-TOP: rgb(132,153,162) thin; FONT-WEIGHT: normal; BORDER-RIGHT: rgb(132,153,162) thin solid; PADDING-TOP: 1pt" valign="center"><TD style="PADDING-BOTTOM: 2pt; PADDING-LEFT: 4pt; PADDING-RIGHT: 4pt; PADDING-TOP: 2pt" valign="center"><DIV style="MARGIN-TOP: 0pt">15013 &nbsp;Selected Identity Store - AD1</DIV></TD></TR><TR align="left" style="BORDER-BOTTOM: rgb(132,153,162) thin; BORDER-LEFT: rgb(132,153,162) thin solid; PADDING-BOTTOM: 1pt; PADDING-LEFT: 2pt; PADDING-RIGHT: 2pt; COLOR: rgb(0,0,0); BORDER-TOP: rgb(132,153,162) thin; FONT-WEIGHT: normal; BORDER-RIGHT: rgb(132,153,162) thin solid; PADDING-TOP: 1pt" valign="center"><TD style="PADDING-BOTTOM: 2pt; PADDING-LEFT: 4pt; PADDING-RIGHT: 4pt; PADDING-TOP: 2pt" valign="center"><DIV style="MARGIN-TOP: 0pt">24430 &nbsp;Authenticating user against Active Directory</DIV></TD></TR><TR align="left" style="BORDER-BOTTOM: rgb(132,153,162) thin; BORDER-LEFT: rgb(132,153,162) thin solid; PADDING-BOTTOM: 1pt; PADDING-LEFT: 2pt; PADDING-RIGHT: 2pt; COLOR: rgb(0,0,0); BORDER-TOP: rgb(132,153,162) thin; FONT-WEIGHT: normal; BORDER-RIGHT: rgb(132,153,162) thin solid; PADDING-TOP: 1pt" valign="center"><TD style="PADDING-BOTTOM: 2pt; PADDING-LEFT: 4pt; PADDING-RIGHT: 4pt; PADDING-TOP: 2pt" valign="center"><DIV style="MARGIN-TOP: 0pt">24416 &nbsp;User's Groups retrieval from Active Directory succeeded</DIV></TD></TR><TR align="left" style="BORDER-BOTTOM: rgb(132,153,162) thin; BORDER-LEFT: rgb(132,153,162) thin solid; PADDING-BOTTOM: 1pt; PADDING-LEFT: 2pt; PADDING-RIGHT: 2pt; COLOR: rgb(0,0,0); BORDER-TOP: rgb(132,153,162) thin; FONT-WEIGHT: normal; BORDER-RIGHT: rgb(132,153,162) thin solid; PADDING-TOP: 1pt" valign="center"><TD style="PADDING-BOTTOM: 2pt; PADDING-LEFT: 4pt; PADDING-RIGHT: 4pt; PADDING-TOP: 2pt" valign="center"><DIV style="MARGIN-TOP: 0pt">24402 &nbsp;User authentication against Active Directory succeeded</DIV></TD></TR><TR align="left" style="BORDER-BOTTOM: rgb(132,153,162) thin; BORDER-LEFT: rgb(132,153,162) thin solid; PADDING-BOTTOM: 1pt; PADDING-LEFT: 2pt; PADDING-RIGHT: 2pt; COLOR: rgb(0,0,0); BORDER-TOP: rgb(132,153,162) thin; FONT-WEIGHT: normal; BORDER-RIGHT: rgb(132,153,162) thin solid; PADDING-TOP: 1pt" valign="center"><TD style="PADDING-BOTTOM: 2pt; PADDING-LEFT: 4pt; PADDING-RIGHT: 4pt; PADDING-TOP: 2pt" valign="center"><DIV style="MARGIN-TOP: 0pt">22037 &nbsp;Authentication Passed</DIV></TD></TR><TR align="left" style="BORDER-BOTTOM: rgb(132,153,162) thin; BORDER-LEFT: rgb(132,153,162) thin solid; PADDING-BOTTOM: 1pt; BACKGROUND-COLOR: rgb(217,227,233); FONT-STYLE: normal; PADDING-LEFT: 2pt; PADDING-RIGHT: 2pt; COLOR: rgb(0,0,0); BORDER-TOP: rgb(132,153,162) thin; FONT-WEIGHT: normal; BORDER-RIGHT: rgb(132,153,162) thin solid; TEXT-DECORATION: underline; PADDING-TOP: 1pt" valign="center"><TD style="PADDING-BOTTOM: 2pt; PADDING-LEFT: 4pt; PADDING-RIGHT: 4pt; PADDING-TOP: 2pt" valign="center"><DIV style="MARGIN-TOP: 0pt">Evaluating Group Mapping Policy</DIV></TD></TR><TR align="left" style="BORDER-BOTTOM: rgb(132,153,162) thin; BORDER-LEFT: rgb(132,153,162) thin solid; PADDING-BOTTOM: 1pt; BACKGROUND-COLOR: rgb(217,227,233); FONT-STYLE: normal; PADDING-LEFT: 2pt; PADDING-RIGHT: 2pt; COLOR: rgb(0,0,0); BORDER-TOP: rgb(132,153,162) thin; FONT-WEIGHT: normal; BORDER-RIGHT: rgb(132,153,162) thin solid; TEXT-DECORATION: underline; PADDING-TOP: 1pt" valign="center"><TD style="PADDING-BOTTOM: 2pt; PADDING-LEFT: 4pt; PADDING-RIGHT: 4pt; PADDING-TOP: 2pt" valign="center"><DIV style="MARGIN-TOP: 0pt">Evaluating Exception Authorization Policy</DIV></TD></TR><TR align="left" style="BORDER-BOTTOM: rgb(132,153,162) thin; BORDER-LEFT: rgb(132,153,162) thin solid; PADDING-BOTTOM: 1pt; PADDING-LEFT: 2pt; PADDING-RIGHT: 2pt; COLOR: rgb(0,0,0); BORDER-TOP: rgb(132,153,162) thin; FONT-WEIGHT: normal; BORDER-RIGHT: rgb(132,153,162) thin solid; PADDING-TOP: 1pt" valign="center"><TD style="PADDING-BOTTOM: 2pt; PADDING-LEFT: 4pt; PADDING-RIGHT: 4pt; PADDING-TOP: 2pt" valign="center"><DIV style="MARGIN-TOP: 0pt">15042 &nbsp;No rule was matched</DIV></TD></TR><TR align="left" style="BORDER-BOTTOM: rgb(132,153,162) thin; BORDER-LEFT: rgb(132,153,162) thin solid; PADDING-BOTTOM: 1pt; BACKGROUND-COLOR: rgb(217,227,233); FONT-STYLE: normal; PADDING-LEFT: 2pt; PADDING-RIGHT: 2pt; COLOR: rgb(0,0,0); BORDER-TOP: rgb(132,153,162) thin; FONT-WEIGHT: normal; BORDER-RIGHT: rgb(132,153,162) thin solid; TEXT-DECORATION: underline; PADDING-TOP: 1pt" valign="center"><TD style="PADDING-BOTTOM: 2pt; PADDING-LEFT: 4pt; PADDING-RIGHT: 4pt; PADDING-TOP: 2pt" valign="center"><DIV style="MARGIN-TOP: 0pt">Evaluating Authorization Policy</DIV></TD></TR><TR align="left" style="BORDER-BOTTOM: rgb(132,153,162) thin; BORDER-LEFT: rgb(132,153,162) thin solid; PADDING-BOTTOM: 1pt; PADDING-LEFT: 2pt; PADDING-RIGHT: 2pt; COLOR: rgb(0,0,0); BORDER-TOP: rgb(132,153,162) thin; FONT-WEIGHT: normal; BORDER-RIGHT: rgb(132,153,162) thin solid; PADDING-TOP: 1pt" valign="center"><TD style="PADDING-BOTTOM: 2pt; PADDING-LEFT: 4pt; PADDING-RIGHT: 4pt; PADDING-TOP: 2pt" valign="center"><DIV style="MARGIN-TOP: 0pt">15006 &nbsp;Matched Default Rule</DIV></TD></TR><TR align="left" style="BORDER-BOTTOM: rgb(132,153,162) thin; BORDER-LEFT: rgb(132,153,162) thin solid; PADDING-BOTTOM: 1pt; PADDING-LEFT: 2pt; PADDING-RIGHT: 2pt; COLOR: rgb(0,0,0); BORDER-TOP: rgb(132,153,162) thin; FONT-WEIGHT: normal; BORDER-RIGHT: rgb(132,153,162) thin solid; PADDING-TOP: 1pt" valign="center"><TD style="PADDING-BOTTOM: 2pt; PADDING-LEFT: 4pt; PADDING-RIGHT: 4pt; PADDING-TOP: 2pt" valign="center"><DIV style="MARGIN-TOP: 0pt">15016 &nbsp;Selected Authorization Profile - DenyAccess</DIV></TD></TR><TR align="left" style="BORDER-BOTTOM: rgb(132,153,162) thin; BORDER-LEFT: rgb(132,153,162) thin solid; PADDING-BOTTOM: 1pt; PADDING-LEFT: 2pt; PADDING-RIGHT: 2pt; COLOR: rgb(0,0,0); BORDER-TOP: rgb(132,153,162) thin; FONT-WEIGHT: normal; BORDER-RIGHT: rgb(132,153,162) thin solid; PADDING-TOP: 1pt" valign="center"><TD style="PADDING-BOTTOM: 2pt; PADDING-LEFT: 4pt; PADDING-RIGHT: 4pt; PADDING-TOP: 2pt" valign="center"><DIV style="MARGIN-TOP: 0pt">15039 &nbsp;Selected Authorization Profile is DenyAccess</DIV></TD></TR><TR align="left" style="BORDER-BOTTOM: rgb(132,153,162) thin; BORDER-LEFT: rgb(132,153,162) thin solid; PADDING-BOTTOM: 1pt; PADDING-LEFT: 2pt; PADDING-RIGHT: 2pt; COLOR: rgb(255,0,0); BORDER-TOP: rgb(132,153,162) thin; FONT-WEIGHT: normal; BORDER-RIGHT: rgb(132,153,162) thin solid; PADDING-TOP: 1pt" valign="center"><TD style="PADDING-BOTTOM: 2pt; PADDING-LEFT: 4pt; PADDING-RIGHT: 4pt; PADDING-TOP: 2pt" valign="center"><DIV style="MARGIN-TOP: 0pt">11003 &nbsp;Returned RADIUS Access-Reject</DIV></TD></TR></TBODY></TABLE> Fri, 21 Feb 2020 13:28:32 GMT Prin12345 2020-02-21T13:28:32Z https://community.cisco.com/t5/network-security/why-acs-ignore-new-network-access-authorization-policy/m-p/2671305#M919191 <P>I feel quite strange why ACS ignore my newly added authorization policy for vpn access. The ACS has been fully associated with Microsoft AD. I created the policy in the following steps:</P><P>1. Create AD group for VPN login on Microsoft AD.</P><P>2. Assign users to the new AD group. Users only belong to the new AD group and no relationship with other VPN group.</P><P>3. Select the newly added AD group into ACS with 'Active Directory'-&gt; 'Directory Groups'</P><P>4. Greate Authorization Profile for the new VPN authorization policy in 'Policy Elements'-&gt;'Authorization and Permission'-&gt;'Network Access'-&gt;'Authorization Profile'.</P><P>5. Create network access authorization policy in 'Access Policies'-&gt; 'Access Services'-&gt;'Default Network Access'-&gt;'Authorization'. Clicking new and select 'Contains any' in the new VPN group and select the newly added authorization profile in step 4.</P><P>6. Save the changes.</P><P>7. Configure Cisco Firewall to listen the VPN connect request and authentication in Radius.</P><P>When I test the vpn connection, I found that there is no way when I enter correct username and password, the vpnclient always deny and prompt again and again.</P><P>I checked on the ACS log and found that ACS success the AD authentication but fail to find an Authorization Policy so it choose default deny access policy.</P><P>I am an newer to Cisco ACS, I don't have much idea on solve it, Could you help me? Thanks.</P><TABLE _eventid="369" id="S2"><TBODY><TR align="left" style="BORDER-BOTTOM: rgb(132,153,162) thin; BORDER-LEFT: rgb(132,153,162) thin solid; PADDING-BOTTOM: 1pt; PADDING-LEFT: 2pt; PADDING-RIGHT: 2pt; COLOR: rgb(0,0,0); BORDER-TOP: rgb(132,153,162) thin; FONT-WEIGHT: normal; BORDER-RIGHT: rgb(132,153,162) thin solid; PADDING-TOP: 1pt" valign="center"><TD style="PADDING-BOTTOM: 2pt; PADDING-LEFT: 4pt; PADDING-RIGHT: 4pt; PADDING-TOP: 2pt" valign="center"><DIV style="MARGIN-TOP: 0pt">11001 &nbsp;Received RADIUS Access-Request</DIV></TD></TR><TR align="left" style="BORDER-BOTTOM: rgb(132,153,162) thin; BORDER-LEFT: rgb(132,153,162) thin solid; PADDING-BOTTOM: 1pt; PADDING-LEFT: 2pt; PADDING-RIGHT: 2pt; COLOR: rgb(0,0,0); BORDER-TOP: rgb(132,153,162) thin; FONT-WEIGHT: normal; BORDER-RIGHT: rgb(132,153,162) thin solid; PADDING-TOP: 1pt" valign="center"><TD style="PADDING-BOTTOM: 2pt; PADDING-LEFT: 4pt; PADDING-RIGHT: 4pt; PADDING-TOP: 2pt" valign="center"><DIV style="MARGIN-TOP: 0pt">11017 &nbsp;RADIUS created a new session</DIV></TD></TR><TR align="left" style="BORDER-BOTTOM: rgb(132,153,162) thin; BORDER-LEFT: rgb(132,153,162) thin solid; PADDING-BOTTOM: 1pt; BACKGROUND-COLOR: rgb(217,227,233); FONT-STYLE: normal; PADDING-LEFT: 2pt; PADDING-RIGHT: 2pt; COLOR: rgb(0,0,0); BORDER-TOP: rgb(132,153,162) thin; FONT-WEIGHT: normal; BORDER-RIGHT: rgb(132,153,162) thin solid; TEXT-DECORATION: underline; PADDING-TOP: 1pt" valign="center"><TD style="PADDING-BOTTOM: 2pt; PADDING-LEFT: 4pt; PADDING-RIGHT: 4pt; PADDING-TOP: 2pt" valign="center"><DIV style="MARGIN-TOP: 0pt">Evaluating Service Selection Policy</DIV></TD></TR><TR align="left" style="BORDER-BOTTOM: rgb(132,153,162) thin; BORDER-LEFT: rgb(132,153,162) thin solid; PADDING-BOTTOM: 1pt; PADDING-LEFT: 2pt; PADDING-RIGHT: 2pt; COLOR: rgb(0,0,0); BORDER-TOP: rgb(132,153,162) thin; FONT-WEIGHT: normal; BORDER-RIGHT: rgb(132,153,162) thin solid; PADDING-TOP: 1pt" valign="center"><TD style="PADDING-BOTTOM: 2pt; PADDING-LEFT: 4pt; PADDING-RIGHT: 4pt; PADDING-TOP: 2pt" valign="center"><DIV style="MARGIN-TOP: 0pt">15004 &nbsp;Matched rule</DIV></TD></TR><TR align="left" style="BORDER-BOTTOM: rgb(132,153,162) thin; BORDER-LEFT: rgb(132,153,162) thin solid; PADDING-BOTTOM: 1pt; PADDING-LEFT: 2pt; PADDING-RIGHT: 2pt; COLOR: rgb(0,0,0); BORDER-TOP: rgb(132,153,162) thin; FONT-WEIGHT: normal; BORDER-RIGHT: rgb(132,153,162) thin solid; PADDING-TOP: 1pt" valign="center"><TD style="PADDING-BOTTOM: 2pt; PADDING-LEFT: 4pt; PADDING-RIGHT: 4pt; PADDING-TOP: 2pt" valign="center"><DIV style="MARGIN-TOP: 0pt">15012 &nbsp;Selected Access Service - VPN ACCESS</DIV></TD></TR><TR align="left" style="BORDER-BOTTOM: rgb(132,153,162) thin; BORDER-LEFT: rgb(132,153,162) thin solid; PADDING-BOTTOM: 1pt; BACKGROUND-COLOR: rgb(217,227,233); FONT-STYLE: normal; PADDING-LEFT: 2pt; PADDING-RIGHT: 2pt; COLOR: rgb(0,0,0); BORDER-TOP: rgb(132,153,162) thin; FONT-WEIGHT: normal; BORDER-RIGHT: rgb(132,153,162) thin solid; TEXT-DECORATION: underline; PADDING-TOP: 1pt" valign="center"><TD style="PADDING-BOTTOM: 2pt; PADDING-LEFT: 4pt; PADDING-RIGHT: 4pt; PADDING-TOP: 2pt" valign="center"><DIV style="MARGIN-TOP: 0pt">Evaluating Identity Policy</DIV></TD></TR><TR align="left" style="BORDER-BOTTOM: rgb(132,153,162) thin; BORDER-LEFT: rgb(132,153,162) thin solid; PADDING-BOTTOM: 1pt; PADDING-LEFT: 2pt; PADDING-RIGHT: 2pt; COLOR: rgb(0,0,0); BORDER-TOP: rgb(132,153,162) thin; FONT-WEIGHT: normal; BORDER-RIGHT: rgb(132,153,162) thin solid; PADDING-TOP: 1pt" valign="center"><TD style="PADDING-BOTTOM: 2pt; PADDING-LEFT: 4pt; PADDING-RIGHT: 4pt; PADDING-TOP: 2pt" valign="center"><DIV style="MARGIN-TOP: 0pt">15006 &nbsp;Matched Default Rule</DIV></TD></TR><TR align="left" style="BORDER-BOTTOM: rgb(132,153,162) thin; BORDER-LEFT: rgb(132,153,162) thin solid; PADDING-BOTTOM: 1pt; PADDING-LEFT: 2pt; PADDING-RIGHT: 2pt; COLOR: rgb(0,0,0); BORDER-TOP: rgb(132,153,162) thin; FONT-WEIGHT: normal; BORDER-RIGHT: rgb(132,153,162) thin solid; PADDING-TOP: 1pt" valign="center"><TD style="PADDING-BOTTOM: 2pt; PADDING-LEFT: 4pt; PADDING-RIGHT: 4pt; PADDING-TOP: 2pt" valign="center"><DIV style="MARGIN-TOP: 0pt">15013 &nbsp;Selected Identity Store - AD1</DIV></TD></TR><TR align="left" style="BORDER-BOTTOM: rgb(132,153,162) thin; BORDER-LEFT: rgb(132,153,162) thin solid; PADDING-BOTTOM: 1pt; PADDING-LEFT: 2pt; PADDING-RIGHT: 2pt; COLOR: rgb(0,0,0); BORDER-TOP: rgb(132,153,162) thin; FONT-WEIGHT: normal; BORDER-RIGHT: rgb(132,153,162) thin solid; PADDING-TOP: 1pt" valign="center"><TD style="PADDING-BOTTOM: 2pt; PADDING-LEFT: 4pt; PADDING-RIGHT: 4pt; PADDING-TOP: 2pt" valign="center"><DIV style="MARGIN-TOP: 0pt">24430 &nbsp;Authenticating user against Active Directory</DIV></TD></TR><TR align="left" style="BORDER-BOTTOM: rgb(132,153,162) thin; BORDER-LEFT: rgb(132,153,162) thin solid; PADDING-BOTTOM: 1pt; PADDING-LEFT: 2pt; PADDING-RIGHT: 2pt; COLOR: rgb(0,0,0); BORDER-TOP: rgb(132,153,162) thin; FONT-WEIGHT: normal; BORDER-RIGHT: rgb(132,153,162) thin solid; PADDING-TOP: 1pt" valign="center"><TD style="PADDING-BOTTOM: 2pt; PADDING-LEFT: 4pt; PADDING-RIGHT: 4pt; PADDING-TOP: 2pt" valign="center"><DIV style="MARGIN-TOP: 0pt">24416 &nbsp;User's Groups retrieval from Active Directory succeeded</DIV></TD></TR><TR align="left" style="BORDER-BOTTOM: rgb(132,153,162) thin; BORDER-LEFT: rgb(132,153,162) thin solid; PADDING-BOTTOM: 1pt; PADDING-LEFT: 2pt; PADDING-RIGHT: 2pt; COLOR: rgb(0,0,0); BORDER-TOP: rgb(132,153,162) thin; FONT-WEIGHT: normal; BORDER-RIGHT: rgb(132,153,162) thin solid; PADDING-TOP: 1pt" valign="center"><TD style="PADDING-BOTTOM: 2pt; PADDING-LEFT: 4pt; PADDING-RIGHT: 4pt; PADDING-TOP: 2pt" valign="center"><DIV style="MARGIN-TOP: 0pt">24402 &nbsp;User authentication against Active Directory succeeded</DIV></TD></TR><TR align="left" style="BORDER-BOTTOM: rgb(132,153,162) thin; BORDER-LEFT: rgb(132,153,162) thin solid; PADDING-BOTTOM: 1pt; PADDING-LEFT: 2pt; PADDING-RIGHT: 2pt; COLOR: rgb(0,0,0); BORDER-TOP: rgb(132,153,162) thin; FONT-WEIGHT: normal; BORDER-RIGHT: rgb(132,153,162) thin solid; PADDING-TOP: 1pt" valign="center"><TD style="PADDING-BOTTOM: 2pt; PADDING-LEFT: 4pt; PADDING-RIGHT: 4pt; PADDING-TOP: 2pt" valign="center"><DIV style="MARGIN-TOP: 0pt">22037 &nbsp;Authentication Passed</DIV></TD></TR><TR align="left" style="BORDER-BOTTOM: rgb(132,153,162) thin; BORDER-LEFT: rgb(132,153,162) thin solid; PADDING-BOTTOM: 1pt; BACKGROUND-COLOR: rgb(217,227,233); FONT-STYLE: normal; PADDING-LEFT: 2pt; PADDING-RIGHT: 2pt; COLOR: rgb(0,0,0); BORDER-TOP: rgb(132,153,162) thin; FONT-WEIGHT: normal; BORDER-RIGHT: rgb(132,153,162) thin solid; TEXT-DECORATION: underline; PADDING-TOP: 1pt" valign="center"><TD style="PADDING-BOTTOM: 2pt; PADDING-LEFT: 4pt; PADDING-RIGHT: 4pt; PADDING-TOP: 2pt" valign="center"><DIV style="MARGIN-TOP: 0pt">Evaluating Group Mapping Policy</DIV></TD></TR><TR align="left" style="BORDER-BOTTOM: rgb(132,153,162) thin; BORDER-LEFT: rgb(132,153,162) thin solid; PADDING-BOTTOM: 1pt; BACKGROUND-COLOR: rgb(217,227,233); FONT-STYLE: normal; PADDING-LEFT: 2pt; PADDING-RIGHT: 2pt; COLOR: rgb(0,0,0); BORDER-TOP: rgb(132,153,162) thin; FONT-WEIGHT: normal; BORDER-RIGHT: rgb(132,153,162) thin solid; TEXT-DECORATION: underline; PADDING-TOP: 1pt" valign="center"><TD style="PADDING-BOTTOM: 2pt; PADDING-LEFT: 4pt; PADDING-RIGHT: 4pt; PADDING-TOP: 2pt" valign="center"><DIV style="MARGIN-TOP: 0pt">Evaluating Exception Authorization Policy</DIV></TD></TR><TR align="left" style="BORDER-BOTTOM: rgb(132,153,162) thin; BORDER-LEFT: rgb(132,153,162) thin solid; PADDING-BOTTOM: 1pt; PADDING-LEFT: 2pt; PADDING-RIGHT: 2pt; COLOR: rgb(0,0,0); BORDER-TOP: rgb(132,153,162) thin; FONT-WEIGHT: normal; BORDER-RIGHT: rgb(132,153,162) thin solid; PADDING-TOP: 1pt" valign="center"><TD style="PADDING-BOTTOM: 2pt; PADDING-LEFT: 4pt; PADDING-RIGHT: 4pt; PADDING-TOP: 2pt" valign="center"><DIV style="MARGIN-TOP: 0pt">15042 &nbsp;No rule was matched</DIV></TD></TR><TR align="left" style="BORDER-BOTTOM: rgb(132,153,162) thin; BORDER-LEFT: rgb(132,153,162) thin solid; PADDING-BOTTOM: 1pt; BACKGROUND-COLOR: rgb(217,227,233); FONT-STYLE: normal; PADDING-LEFT: 2pt; PADDING-RIGHT: 2pt; COLOR: rgb(0,0,0); BORDER-TOP: rgb(132,153,162) thin; FONT-WEIGHT: normal; BORDER-RIGHT: rgb(132,153,162) thin solid; TEXT-DECORATION: underline; PADDING-TOP: 1pt" valign="center"><TD style="PADDING-BOTTOM: 2pt; PADDING-LEFT: 4pt; PADDING-RIGHT: 4pt; PADDING-TOP: 2pt" valign="center"><DIV style="MARGIN-TOP: 0pt">Evaluating Authorization Policy</DIV></TD></TR><TR align="left" style="BORDER-BOTTOM: rgb(132,153,162) thin; BORDER-LEFT: rgb(132,153,162) thin solid; PADDING-BOTTOM: 1pt; PADDING-LEFT: 2pt; PADDING-RIGHT: 2pt; COLOR: rgb(0,0,0); BORDER-TOP: rgb(132,153,162) thin; FONT-WEIGHT: normal; BORDER-RIGHT: rgb(132,153,162) thin solid; PADDING-TOP: 1pt" valign="center"><TD style="PADDING-BOTTOM: 2pt; PADDING-LEFT: 4pt; PADDING-RIGHT: 4pt; PADDING-TOP: 2pt" valign="center"><DIV style="MARGIN-TOP: 0pt">15006 &nbsp;Matched Default Rule</DIV></TD></TR><TR align="left" style="BORDER-BOTTOM: rgb(132,153,162) thin; BORDER-LEFT: rgb(132,153,162) thin solid; PADDING-BOTTOM: 1pt; PADDING-LEFT: 2pt; PADDING-RIGHT: 2pt; COLOR: rgb(0,0,0); BORDER-TOP: rgb(132,153,162) thin; FONT-WEIGHT: normal; BORDER-RIGHT: rgb(132,153,162) thin solid; PADDING-TOP: 1pt" valign="center"><TD style="PADDING-BOTTOM: 2pt; PADDING-LEFT: 4pt; PADDING-RIGHT: 4pt; PADDING-TOP: 2pt" valign="center"><DIV style="MARGIN-TOP: 0pt">15016 &nbsp;Selected Authorization Profile - DenyAccess</DIV></TD></TR><TR align="left" style="BORDER-BOTTOM: rgb(132,153,162) thin; BORDER-LEFT: rgb(132,153,162) thin solid; PADDING-BOTTOM: 1pt; PADDING-LEFT: 2pt; PADDING-RIGHT: 2pt; COLOR: rgb(0,0,0); BORDER-TOP: rgb(132,153,162) thin; FONT-WEIGHT: normal; BORDER-RIGHT: rgb(132,153,162) thin solid; PADDING-TOP: 1pt" valign="center"><TD style="PADDING-BOTTOM: 2pt; PADDING-LEFT: 4pt; PADDING-RIGHT: 4pt; PADDING-TOP: 2pt" valign="center"><DIV style="MARGIN-TOP: 0pt">15039 &nbsp;Selected Authorization Profile is DenyAccess</DIV></TD></TR><TR align="left" style="BORDER-BOTTOM: rgb(132,153,162) thin; BORDER-LEFT: rgb(132,153,162) thin solid; PADDING-BOTTOM: 1pt; PADDING-LEFT: 2pt; PADDING-RIGHT: 2pt; COLOR: rgb(255,0,0); BORDER-TOP: rgb(132,153,162) thin; FONT-WEIGHT: normal; BORDER-RIGHT: rgb(132,153,162) thin solid; PADDING-TOP: 1pt" valign="center"><TD style="PADDING-BOTTOM: 2pt; PADDING-LEFT: 4pt; PADDING-RIGHT: 4pt; PADDING-TOP: 2pt" valign="center"><DIV style="MARGIN-TOP: 0pt">11003 &nbsp;Returned RADIUS Access-Reject</DIV></TD></TR></TBODY></TABLE> Fri, 21 Feb 2020 13:28:32 GMT https://community.cisco.com/t5/network-security/why-acs-ignore-new-network-access-authorization-policy/m-p/2671305#M919191 Prin12345 2020-02-21T13:28:32Z https://community.cisco.com/t5/network-security/why-acs-ignore-new-network-access-authorization-policy/m-p/2671306#M919192 <P>You connections are passing "Authentication" but are failing "Authorization". The connections are&nbsp;hitting the "default" authorization rule which which is to Deny Access. Thus, something is wrong with your Access Policy that you crated for the VPN based authentications. Something in the policy is not matching, thus the rule is skipped.&nbsp;</P><P>Can you post screen shots of your Access Policies screen and then screen shot of the actual policy details.&nbsp;</P><P>&nbsp;</P><P><EM>Thank you for rating helpful posts!</EM></P> Sun, 17 May 2015 06:17:37 GMT https://community.cisco.com/t5/network-security/why-acs-ignore-new-network-access-authorization-policy/m-p/2671306#M919192 nspasov 2015-05-17T06:17:37Z https://community.cisco.com/t5/network-security/why-acs-ignore-new-network-access-authorization-policy/m-p/2671307#M919193 <P>Thanks for your attention Neno.</P><P>The bug has been captured. It was caused by conflict between inner policies. For example, You have created an 'Access Service', for example "Cisco Access Control", and some Network Access Authentication Policy, for example "rule 1". Then some people thought the access service was no longer useful and disable it, but he forget to disable the active Authentication Policy 'rule 1' first. So when my problem happened, one of 'Access Service ' was disable, but the policy 'rule 1' was still enable. There was a conflct between Access Service and Access Policy.</P><P>When I restart the ACS, the main process runtime got into 'Not monitor' state, which means ACS start fail. I checked the log and found that RTDaemon start failure because can not read from policy database. After eliminating the conflicted error, and then start runtime. it successed.</P><P>I think there should be an imporvement from cisco developers to eliminate such kind of trouble happening. The bug caused our VPN service got down 2 hours.</P> Tue, 19 May 2015 01:40:14 GMT https://community.cisco.com/t5/network-security/why-acs-ignore-new-network-access-authorization-policy/m-p/2671307#M919193 Prin12345 2015-05-19T01:40:14Z https://community.cisco.com/t5/network-security/why-acs-ignore-new-network-access-authorization-policy/m-p/2671308#M919194 <P>Thanks for the info! (+5 from me). Did you actually get a bug/defect ID? If so can you please share it here?</P> Tue, 19 May 2015 02:01:27 GMT https://community.cisco.com/t5/network-security/why-acs-ignore-new-network-access-authorization-policy/m-p/2671308#M919194 nspasov 2015-05-19T02:01:27Z https://community.cisco.com/t5/network-security/why-acs-ignore-new-network-access-authorization-policy/m-p/2671309#M919195 <P>Sorry, Neno, I didn't get the bug/defect ID as I don't have the privilege to access some Cisco bug info. I wanted to get some log of errors for you but it has been over by the other logs.</P> Tue, 19 May 2015 03:50:05 GMT https://community.cisco.com/t5/network-security/why-acs-ignore-new-network-access-authorization-policy/m-p/2671309#M919195 Prin12345 2015-05-19T03:50:05Z https://community.cisco.com/t5/network-security/why-acs-ignore-new-network-access-authorization-policy/m-p/2671310#M919196 <P>No problem! Thanks for the info! If your issue is resolved, you should mark the thread as "answered" <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Wed, 20 May 2015 02:44:19 GMT https://community.cisco.com/t5/network-security/why-acs-ignore-new-network-access-authorization-policy/m-p/2671310#M919196 nspasov 2015-05-20T02:44:19Z