12-26-2016 08:26 AM
Configured ASA VPN access with OpenOTP as the token server. Running an authentication test and getting Deny Access result. Reason is defined as "Rejected per authorization profile" Per OTP logs and ISE authentication, user authentication is successful. Using Policy Sets. Authorization policy has no Deny Access statement in it. First rule is a Permit access with no conditions. The default rule is Permit access. Appears to be failing before hitting the authorization table even though authentication succeeds. ISE 2.1 patch 2.
12-26-2016 10:38 PM
Can you share the live log details?
Warning: I either dictated this to my device, or typed it with my thumbs. Erroneous words are a feature, not a typo.
12-27-2016 06:16 AM
12-28-2016 11:33 AM
If this is a standalone ISE, try restarting ISE services. If a secondary ISE nodes, try a manual re-sync.
01-03-2017 06:35 AM
The deployment is two nodes. I've gone ahead and resynced and restarted. Still same result. Session is coming up as Denied even though I have everything set to permit. Happening on both nodes.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide