Hi,
After implementing ISE, we are unable to authenticate to the SSL VPN Web Portal using ISE and RSA.
Our setup is as follows, our Cisco 5545-X vpn concentrators make a call to ISE when a user log in, then ISE is a client of our RSA server for radius. In RSA, we show a successful connection but, in ISE we see a rejection.
It appears the issue is ISE related. This is only happening with the web portal. Normal client vpn works successfully.
Any advice?
Cisco Identity Services Engine
11001 |
Received RADIUS Access-Request |
|
11017 |
RADIUS created a new session |
|
15049 |
Evaluating Policy Group |
|
15008 |
Evaluating Service Selection Policy |
|
15048 |
Queried PIP - DEVICE.Device Type |
|
15048 |
Queried PIP - Radius.NAS-Port-Type |
|
15006 |
Matched Default Rule |
|
15041 |
Evaluating Identity Policy |
|
15006 |
Matched Default Rule |
|
15013 |
Selected Identity Source - RSA_RADIUS |
|
24609 |
RADIUS token identity store is authenticating against the primary server - RSA_RADIUS |
|
11100 |
RADIUS-Client about to send request - RSA_RADIUS |
|
11101 |
RADIUS-Client received response - RSA_RADIUS ( Step latency=2054 ms) |
|
24612 |
Authentication against the RADIUS token server succeeded - RSA_RADIUS |
|
24623 |
User record was cached - RSA_RADIUS |
|
22037 |
Authentication Passed |
|
24423 |
ISE has not been able to confirm previous successful machine authentication |
|
15036 |
Evaluating Authorization Policy |
|
15048 |
Queried PIP - Cisco.cisco-av-pair |
|
15048 |
Queried PIP - Network Access.EndPointMACAddress |
|
15048 |
Queried PIP - EndPoints.LogicalProfile |
|
15048 |
Queried PIP - MDM.DeviceRegisterStatus |
|
15048 |
Queried PIP - Session.PostureStatus |
|
15048 |
Queried PIP - Network Access.EndPointMACAddress |
|
15048 |
Queried PIP - EndPoints.LogicalProfile |
|
15004 |
Matched rule - Default |
|
15016 |
Selected Authorization Profile - DenyAccess |
|
15039 |
Rejected per authorization profile |
|
11003 |
Returned RADIUS Access-Reject |
|
|