Hi,
After implementing ISE, we are unable to authenticate to the SSL VPN Web Portal using ISE and RSA.
Our setup is as follows, our Cisco 5545-X vpn concentrators make a call to ISE when a user log in, then ISE is a client of our RSA server for radius. In RSA, we show a successful connection but, in ISE we see a rejection.
It appears the issue is ISE related. This is only happening with the web portal. Normal client vpn works successfully.
Any advice?
Cisco Identity Services Engine
| 11001 |
Received RADIUS Access-Request |
| |
11017 |
RADIUS created a new session |
| |
15049 |
Evaluating Policy Group |
| |
15008 |
Evaluating Service Selection Policy |
| |
15048 |
Queried PIP - DEVICE.Device Type |
| |
15048 |
Queried PIP - Radius.NAS-Port-Type |
| |
15006 |
Matched Default Rule |
| |
15041 |
Evaluating Identity Policy |
| |
15006 |
Matched Default Rule |
| |
15013 |
Selected Identity Source - RSA_RADIUS |
| |
24609 |
RADIUS token identity store is authenticating against the primary server - RSA_RADIUS |
| |
11100 |
RADIUS-Client about to send request - RSA_RADIUS |
| |
11101 |
RADIUS-Client received response - RSA_RADIUS ( Step latency=2054 ms) |
| |
24612 |
Authentication against the RADIUS token server succeeded - RSA_RADIUS |
| |
24623 |
User record was cached - RSA_RADIUS |
| |
22037 |
Authentication Passed |
| |
24423 |
ISE has not been able to confirm previous successful machine authentication |
| |
15036 |
Evaluating Authorization Policy |
| |
15048 |
Queried PIP - Cisco.cisco-av-pair |
| |
15048 |
Queried PIP - Network Access.EndPointMACAddress |
| |
15048 |
Queried PIP - EndPoints.LogicalProfile |
| |
15048 |
Queried PIP - MDM.DeviceRegisterStatus |
| |
15048 |
Queried PIP - Session.PostureStatus |
| |
15048 |
Queried PIP - Network Access.EndPointMACAddress |
| |
15048 |
Queried PIP - EndPoints.LogicalProfile |
| |
15004 |
Matched rule - Default |
| |
15016 |
Selected Authorization Profile - DenyAccess |
| |
15039 |
Rejected per authorization profile |
| |
11003 |
Returned RADIUS Access-Reject |
|
|
