10-03-2018 12:39 AM
I am using ISE as Auth server for vpn clients, everything works fine when I am using anyconnect on mobile phone, the user gets connected instantly and in ISE logs it shows correct AUTH and AUTHZ policies but when I am trying to connect the same user over a laptop then ISE denies the user request and in ISE logs it shows the correct AUTH policy but in AUTZ it hits default which has deny access profile.
Is this a known issue?
If anyone knows the solution then kindly let me know
ISE 2.3
ASA 9.7.1
10-03-2018 06:03 AM
Hi,
I did a little change and it worked, but I dont want it to work this way, if I specify internal user in authZ policy and put in my name it works and even in this case the credentials are coming from the AD.
Now this username is a part of a user identity group if i specify this user identity group it stops working. Please check attached images.
10-03-2018 06:12 AM
Normally when you have an external group we would have selected the external identity store and AD group in the Authz condition. You seem to have some hybrid where the user is external but the groupo is local to ISE (or at least not explicitly specified as coming from AD as far as I can see). I suspect that's the cause of the issue. Not sure why it's working properly for mobile devices though.
It would probably be best authoritatively determined by TAC looking at your system live.
10-03-2018 07:30 AM
Hi,
can you share the failure reason here?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide