Very basic - I am in the dialup users group - then VPN ALLOW

Policy, Policy elements, Results, Authorization, Authorization Profiles, VPN ALLOW, has Access Type = ACCESS_ACCEPT, and DACL = ISE-VPN-ALLOW

Also - I tried changing the final VPN rule to "PermitAccess" - no difference.

Show the result details where you changed it to permit access. That should show:

15016 Selected Authorization Profile – PermitAccess

That is what I thought, but the details stay exactly the same.

So I don’t think it gets to the final rule, it authenticates, but doesn’t authorize.

Is this a deployment or one node? If deployment sounds like you may have a synchronization issue with the PSN. If you changed to PermitAccess but you see log details showing DenyAccess then I would look at sync issues.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

It is a deployment, these two nodes are in the same zone. I will reset and give them longer to sync. Is they a key or synchronize I’d? Something I can check?

Are the authentications going to the same node as the rule set you are looking at? You can force sync from the deployment screen.

Paul Haferman

Office- 920.996.3011

Cell- 920.284.9250

I copied the VPN policy to VPN_copy, and changed the last rule to PermitAccess – left plenty of time to sync with no change. (access good from AnyConnect client, fails for Clientless SSL VPN).

I purchased a book yesterday and it has a helpful hint to test the “AAA test” from the ASA. The test FAILS. This seems odd since I can connect/authenticate using the AnyConnect client.

Here are the trace results of (3) connection attempts (AAA test , Clientless SSL VPN from home , AnyConnect client from home ) – seems like I should focus on getting the AAA test to work, but not sure where to start.

1. Test from ASA AAA Server Groups ###################

Radius.User-Name=myname@mydomain.com

Radius.NAS-IP-Address=10.247.101.10

Radius.NAS-Port-Type=Virtual

Network Access.NetworkDeviceName=MyCompVPN

Network Access.AuthenticationMethod=PAP_ASCII

Network Access.Protocol=RADIUS

Radius.NAS-Port=3

Network Access.AD-User-Join-Point=MyDomain.COM

Network Access.AD-User-DNS-Domain=MyDomain.com

DEVICE.Network Device Profile=Cisco

DEVICE.Location=All Locations#MyLocation

DEVICE.Device Type=All Device Types#Firewalls

MyDomain.com.IdentityAccessRestricted=false

Network Access.Device IP Address=10.247.101.10

1. Failed from home to Clientless WebVPN ###################

Radius.Calling-Station-ID=12.193.30.2

Radius.User-Name=myname@mydomain.com

Radius.NAS-IP-Address=10.247.101.10

Radius.NAS-Port-Type=Virtual

Network Access.NetworkDeviceName=MyCompVPN

Network Access.AuthenticationMethod=PAP_ASCII

Network Access.Protocol=RADIUS

Radius.NAS-Port=323584

Radius.Tunnel-Client-Endpoint=(tag=0) 12.193.30.2

Cisco-VPN3000.CVPN3000/ASA/PIX7x-Tunnel-Group-Name=AnyConnect

Normalised Radius.SSID=183.187.10.10

Cisco-VPN3000.CVPN3000/ASA/PIX7x-Client-Type=Clientless-SSL-VPN

Network Access.AD-User-Join-Point=MyDomain.COM

Network Access.AD-User-DNS-Domain=MyDomain.com

DEVICE.Network Device Profile=Cisco

DEVICE.Location=All Locations#MyLocation

DEVICE.Device Type=All Device Types#Firewalls

MyDomain.com.IdentityAccessRestricted=false

Network Access.Device IP Address=10.247.101.10

Radius.Called-Station-ID=183.187.10.10

1. Success from home to AnyConnect Client ###################

Radius.Calling-Station-ID=12.193.30.2

Radius.User-Name=myname@mydomain.com

Radius.NAS-IP-Address=10.247.101.10

Radius.NAS-Port-Type=Virtual

Network Access.NetworkDeviceName=MyCompVPN

Network Access.AuthenticationMethod=PAP_ASCII

Network Access.Protocol=RADIUS

Radius.NAS-Port=8192

Radius.Tunnel-Client-Endpoint=(tag=0) 12.193.30.2

Cisco-VPN3000.CVPN3000/ASA/PIX7x-Tunnel-Group-Name=AnyConnect

Normalised Radius.SSID=183.187.10.10

Cisco-VPN3000.CVPN3000/ASA/PIX7x-Client-Type=AnyConnect-Client-SSL-VPN

Network Access.AuthenticationStatus=AuthenticationPassed

Network Access.AD-User-Join-Point=MyDomain.COM

Network Access.AD-User-DNS-Domain=MyDomain.com

MyDomain.com.ExternalGroups=MyDomain.com/MyComp/Groups/Dialup-MyLocation-Admins

MyDomain.com.ExternalGroups=MyDomain.com/MyComp/Groups/Dialup Users

MyDomain.com.ExternalGroups=MyDomain.com/MyComp/Groups/NetworkDeviceMGRsMyLocation

MyDomain.com.ExternalGroups=MyDomain.com/MyComp/Groups/NetworkDeviceMGRsGlobal

MyDomain.com.ExternalGroups=MyDomain.com/MyComp/Groups/Dialup-MyLocation-AdvancedMathematics

MyDomain.com.ExternalGroups=MyDomain.com/Users/Domain Users

MyDomain.com.ExternalGroups=MyDomain.com/MyComp/IS/Groups/vCenterAdmins

MyDomain.com.ExternalGroups=MyDomain.com/Users/Domain Admins

DEVICE.Network Device Profile=Cisco

DEVICE.Location=All Locations#MyLocation

DEVICE.Device Type=All Device Types#Firewalls

MyDomain.com.ExternalGroups=MyDomain.com/MyComp/Groups/Dialup-MyLocation-Admins

MyDomain.com.ExternalGroups=MyDomain.com/MyComp/Groups/Dialup Users

MyDomain.com.ExternalGroups=MyDomain.com/MyComp/Groups/NetworkDeviceMGRsMyLocation

MyDomain.com.ExternalGroups=MyDomain.com/MyComp/Groups/NetworkDeviceMGRsGlobal

MyDomain.com.ExternalGroups=MyDomain.com/MyComp/Groups/Dialup-MyLocation-AdvancedMathematics

MyDomain.com.ExternalGroups=MyDomain.com/Users/Domain Users

MyDomain.com.ExternalGroups=MyDomain.com/MyComp/IS/Groups/vCenterAdmins

MyDomain.com.ExternalGroups=MyDomain.com/Users/Domain Admins

MyDomain.com.IdentityAccessRestricted=false

Network Access.Device IP Address=10.247.101.10

Radius.Called-Station-ID=183.187.10.10

-cliff

Try using the primary ISE to authenticate and see whether it makes any difference. If it does, then go to the deployment page and initiate a manual sync to the 2nd ISE node.

Thanks, but no difference using primary/secondary to authenticate.

-cliff

Please restart the ISE services on one of the ISE nodes. If this not helping, then your policies might be a strange state and please engage Cisco TAC to investigate further.