Solved: VPN Client authentication with ISE

Legusol · ‎08-27-2025

Hi,

I have configured our on-prem Cisco ISE server for RADIUS client authentication when users connect using Secure Client. The VPN authentication requests reach the ISE server, the user is correctly authenticated and ISE returns an "Access-Accept" to Secure Access, however the Secure Client keeps asking for the credentials to the user.

In the Remote Access logs I see failed connection events, the event details says "Authorization Check" and the error code is "ASA-6-113005".

What can be failing?

Regards.

Legusol · ‎09-04-2025

I finally figured it out.....user error. I missed setting the two checkboxes for the Radius Authorization when setting up the Radius group in Secure Access.

Authorization: Mark the checkbox for Authorization and select the port, by default, is 1812
- Mark the checkbox for Authorization mode Only and Change of Authorization (CoA) mode to permit the posture and changes from ISE

View solution in original post

MHM Cisco World · ‎08-27-2025

Can I see tunnel group and group policy?

MHM

Legusol · ‎08-27-2025

This is a Secure Access and ISE integration. Attached is the config for the VPN tunnel and ISE log showing "Access_Accept" and a screenshot of Secure Access with the Failed auth.

Thanks in advance!

MHM Cisco World · ‎08-27-2025

Can I see config of ASA cli?

MHM

Legusol · ‎08-27-2025

This is not ASA....this is a Cisco Secure Access End User Connectivity VPN tunnel.

Legusol · ‎08-27-2025

This is our configuration for more background.

Configure Secure Access for RA-VPNaaS Posture Assessment with ISE - Cisco

Josue Brenes · ‎09-02-2025

Legusol,

Can you verify that the user you’re authenticating with is provisioned in Secure Access?
Navigate to: Connect > End User Connectivity > Users, Groups, and Endpoint Devices.

If the user is provisioned, the next step is to check the Authentication Property in the same section (Users, Groups, and Endpoint Devices).

For example, if you're trying to authenticate with the username (user01) instead of the email format (user01@example.com), this can cause issues, since Secure Access defaults to using the email format for authentication.

If the user provisioning was done via on-prem AD, you can configure Secure Access to authenticate using the SAM Account Name (which typically matches the username ISE retrieves from AD), instead of using the email format.

This setting is under:
Connect > End User Connectivity > Users, Groups, and Endpoint Devices > Configuration Management > Active Directory > Users Authentication > Authentication Property.

As a reminder, please be careful when making configuration changes in a production environment to avoid any unintended impact.

Best,

- Josue Brenes

Legusol · ‎09-02-2025

Hello Josue,

We do have the users this user in "User, Groups and Endpoint Devices". These ISE Radius users are external users (third parties) so we have them imported using CSV Provisioning since they are not in our AD or Azure directories. We set them up in the CSV with UPN and mail as their email address and we have them in ISE as an Internal User as their email for the login. ISE is showing an ACCESS_Accept, but SSE Remote Access still shows "Failed Authorization Check ASA-6-113005".

Thank you for the reply!

Legusol · ‎09-04-2025

I finally figured it out.....user error. I missed setting the two checkboxes for the Radius Authorization when setting up the Radius group in Secure Access.

Authorization: Mark the checkbox for Authorization and select the port, by default, is 1812
- Mark the checkbox for Authorization mode Only and Change of Authorization (CoA) mode to permit the posture and changes from ISE