cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4749
Views
0
Helpful
17
Replies

VPN AutH with ISE

I am using ISE as Auth server for vpn clients, everything works fine when I am using anyconnect on mobile phone, the user gets connected instantly and in ISE logs it shows correct AUTH and AUTHZ policies but when I am trying to connect the same user over a laptop then ISE denies the user request and in ISE logs it shows the correct AUTH policy but in AUTZ it hits default which has deny access profile.

Is this a known issue?

If anyone knows the solution then kindly let me know

ISE 2.3

ASA 9.7.1

17 Replies 17

Hi,

 

I did a little change and it worked, but I dont want it to work this way, if I specify internal user in authZ policy and put in my name it works and even in this case the credentials are coming from the AD.

Now this username is a part of a user identity group if i specify this user identity group it stops working. Please check attached images.

Normally when you have an external group we would have selected the external identity store and AD group in the Authz condition. You seem to have some hybrid where the user is external but the groupo is local to ISE (or at least not explicitly specified as coming from AD as far as I can see). I suspect that's the cause of the issue. Not sure why it's working properly for mobile devices though.

 

It would probably be best authoritatively determined by TAC looking at your system live.

Hi,

 

can you share the failure reason here?

-Aravind