01-24-2018 12:26 PM
When I try to connect to the ASA (9.6)/ISE (2.2) using https://asaaddress.domian.com, I authenticate with username (via RADIUS/AD/ISE), but access is still denied -
From Radius live log details - steps -
24343 | RPC Logon request succeeded - XXXXXXX@XXXXXXX.com | |
24402 | User authentication against Active Directory succeeded - XXXXXXX.com | |
22037 | Authentication Passed | |
24423 | ISE has not been able to confirm previous successful machine authentication | |
15036 | Evaluating Authorization Policy | |
15048 | Queried PIP - Session.EPSStatus | |
15016 | Selected Authorization Profile - DenyAccess | |
15039 | Rejected per authorization profile | |
11003 | Returned RADIUS Access-Reject |
The machine was just previously authenticated on the network (Wired and wireless) -
Authentication is VPN->Default->Default, not hitting Authorization policy
Solved! Go to Solution.
01-26-2018 08:23 AM
I would probably open a TAC case. Most likely it is something that is easily explained, but hard to troubleshoot over the forums.
Paul Haferman
Office- 920.996.3011
Cell- 920.284.9250
01-24-2018 12:48 PM
You are hitting an authorization profile, just one that has Access-Reject in it. What does your VPN policy set look like?
01-24-2018 01:07 PM
Very basic - I am in the dialup users group - then VPN ALLOW
Policy, Policy elements, Results, Authorization, Authorization Profiles, VPN ALLOW, has Access Type = ACCESS_ACCEPT, and DACL = ISE-VPN-ALLOW
01-24-2018 01:20 PM
Also - I tried changing the final VPN rule to "PermitAccess" - no difference.
01-24-2018 01:51 PM
Show the result details where you changed it to permit access. That should show:
15016 Selected Authorization Profile – PermitAccess
01-24-2018 02:47 PM
That is what I thought, but the details stay exactly the same.
So I don’t think it gets to the final rule, it authenticates, but doesn’t authorize.
01-24-2018 04:03 PM
Is this a deployment or one node? If deployment sounds like you may have a synchronization issue with the PSN. If you changed to PermitAccess but you see log details showing DenyAccess then I would look at sync issues.
Paul Haferman
Office- 920.996.3011
Cell- 920.284.9250
01-24-2018 04:11 PM
It is a deployment, these two nodes are in the same zone. I will reset and give them longer to sync. Is they a key or synchronize I’d? Something I can check?
01-24-2018 04:15 PM
Are the authentications going to the same node as the rule set you are looking at? You can force sync from the deployment screen.
Paul Haferman
Office- 920.996.3011
Cell- 920.284.9250
01-25-2018 08:59 AM
I copied the VPN policy to VPN_copy, and changed the last rule to PermitAccess – left plenty of time to sync with no change. (access good from AnyConnect client, fails for Clientless SSL VPN).
I purchased a book yesterday and it has a helpful hint to test the “AAA test” from the ASA. The test FAILS. This seems odd since I can connect/authenticate using the AnyConnect client.
Here are the trace results of (3) connection attempts (AAA test , Clientless SSL VPN from home , AnyConnect client from home ) – seems like I should focus on getting the AAA test to work, but not sure where to start.
Test from ASA AAA Server Groups ###################
Radius.User-Name=myname@mydomain.com
Radius.NAS-IP-Address=10.247.101.10
Radius.NAS-Port-Type=Virtual
Network Access.NetworkDeviceName=MyCompVPN
Network Access.AuthenticationMethod=PAP_ASCII
Network Access.Protocol=RADIUS
Radius.NAS-Port=3
Network Access.AD-User-Join-Point=MyDomain.COM
Network Access.AD-User-DNS-Domain=MyDomain.com
DEVICE.Network Device Profile=Cisco
DEVICE.Location=All Locations#MyLocation
DEVICE.Device Type=All Device Types#Firewalls
MyDomain.com.IdentityAccessRestricted=false
Network Access.Device IP Address=10.247.101.10
Failed from home to Clientless WebVPN ###################
Radius.Calling-Station-ID=12.193.30.2
Radius.User-Name=myname@mydomain.com
Radius.NAS-IP-Address=10.247.101.10
Radius.NAS-Port-Type=Virtual
Network Access.NetworkDeviceName=MyCompVPN
Network Access.AuthenticationMethod=PAP_ASCII
Network Access.Protocol=RADIUS
Radius.NAS-Port=323584
Radius.Tunnel-Client-Endpoint=(tag=0) 12.193.30.2
Cisco-VPN3000.CVPN3000/ASA/PIX7x-Tunnel-Group-Name=AnyConnect
Normalised Radius.SSID=183.187.10.10
Cisco-VPN3000.CVPN3000/ASA/PIX7x-Client-Type=Clientless-SSL-VPN
Network Access.AD-User-Join-Point=MyDomain.COM
Network Access.AD-User-DNS-Domain=MyDomain.com
DEVICE.Network Device Profile=Cisco
DEVICE.Location=All Locations#MyLocation
DEVICE.Device Type=All Device Types#Firewalls
MyDomain.com.IdentityAccessRestricted=false
Network Access.Device IP Address=10.247.101.10
Radius.Called-Station-ID=183.187.10.10
Success from home to AnyConnect Client ###################
Radius.Calling-Station-ID=12.193.30.2
Radius.User-Name=myname@mydomain.com
Radius.NAS-IP-Address=10.247.101.10
Radius.NAS-Port-Type=Virtual
Network Access.NetworkDeviceName=MyCompVPN
Network Access.AuthenticationMethod=PAP_ASCII
Network Access.Protocol=RADIUS
Radius.NAS-Port=8192
Radius.Tunnel-Client-Endpoint=(tag=0) 12.193.30.2
Cisco-VPN3000.CVPN3000/ASA/PIX7x-Tunnel-Group-Name=AnyConnect
Normalised Radius.SSID=183.187.10.10
Cisco-VPN3000.CVPN3000/ASA/PIX7x-Client-Type=AnyConnect-Client-SSL-VPN
Network Access.AuthenticationStatus=AuthenticationPassed
Network Access.AD-User-Join-Point=MyDomain.COM
Network Access.AD-User-DNS-Domain=MyDomain.com
MyDomain.com.ExternalGroups=MyDomain.com/MyComp/Groups/Dialup-MyLocation-Admins
MyDomain.com.ExternalGroups=MyDomain.com/MyComp/Groups/Dialup Users
MyDomain.com.ExternalGroups=MyDomain.com/MyComp/Groups/NetworkDeviceMGRsMyLocation
MyDomain.com.ExternalGroups=MyDomain.com/MyComp/Groups/NetworkDeviceMGRsGlobal
MyDomain.com.ExternalGroups=MyDomain.com/MyComp/Groups/Dialup-MyLocation-AdvancedMathematics
MyDomain.com.ExternalGroups=MyDomain.com/Users/Domain Users
MyDomain.com.ExternalGroups=MyDomain.com/MyComp/IS/Groups/vCenterAdmins
MyDomain.com.ExternalGroups=MyDomain.com/Users/Domain Admins
DEVICE.Network Device Profile=Cisco
DEVICE.Location=All Locations#MyLocation
DEVICE.Device Type=All Device Types#Firewalls
MyDomain.com.ExternalGroups=MyDomain.com/MyComp/Groups/Dialup-MyLocation-Admins
MyDomain.com.ExternalGroups=MyDomain.com/MyComp/Groups/Dialup Users
MyDomain.com.ExternalGroups=MyDomain.com/MyComp/Groups/NetworkDeviceMGRsMyLocation
MyDomain.com.ExternalGroups=MyDomain.com/MyComp/Groups/NetworkDeviceMGRsGlobal
MyDomain.com.ExternalGroups=MyDomain.com/MyComp/Groups/Dialup-MyLocation-AdvancedMathematics
MyDomain.com.ExternalGroups=MyDomain.com/Users/Domain Users
MyDomain.com.ExternalGroups=MyDomain.com/MyComp/IS/Groups/vCenterAdmins
MyDomain.com.ExternalGroups=MyDomain.com/Users/Domain Admins
MyDomain.com.IdentityAccessRestricted=false
Network Access.Device IP Address=10.247.101.10
Radius.Called-Station-ID=183.187.10.10
-cliff
01-25-2018 05:40 PM
Try using the primary ISE to authenticate and see whether it makes any difference. If it does, then go to the deployment page and initiate a manual sync to the 2nd ISE node.
01-26-2018 08:17 AM
Thanks, but no difference using primary/secondary to authenticate.
-cliff
01-26-2018 08:23 AM
Please restart the ISE services on one of the ISE nodes. If this not helping, then your policies might be a strange state and please engage Cisco TAC to investigate further.
01-26-2018 08:23 AM
I would probably open a TAC case. Most likely it is something that is easily explained, but hard to troubleshoot over the forums.
Paul Haferman
Office- 920.996.3011
Cell- 920.284.9250
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide