@DannyDulin

As part of the Authorization profile, do you use a dACL or another option? 

Sorry for all these questions.  I've had a lot of issues with pushing dACLs as part of the Authorization policy from ISE to the VPN session on the ASA.  Everything works, until it doesn't. We have hundereds of daily users connecting to various VPN gateways (ASA) all over and when I enable Authorization from ISE, it causes few of them to experience an "internal error" on their Cisco Secure Client.  Even the highest echelons of TAC have been unable to help resolve this issue successfully.  

I am not using dACL with these afore mentioned AuthZ profiles, but I have used dACL in another scenario with VPN.

I encountered a problem and it turned out to be too many characters in the dACL. SERIOUSLY!

• The whole dACL can not exceed 4000 characters as it has to fit into one RADIUS packet.
• up to 64 lines in a single dACL 

DACLs in ISE - Cisco Community

I know this to be accurate because I tested the theory.

BTW...ask as many questions as you need. We're all in this together.

@DannyDulin

What's rather strange is that the dACL I am sending is simply permit ip any any and even then the issue occurs.

Are you also using hostscan?  We are using hostscan and as per TAC hostscan and CoA don't work together due to a bug.

**Message from TAC:  Also I would like to point out to this bug that has been found where it is indicated that hostscan and CoA don’t work together which can be our scenario. https://bst.cisco.com/bugsearch/bug/CSCuu55785

**

TAC's solution for us was to stop sending AuthZ profile with a dACL to the ASA, which is what we did but obviously this is pointless.

We are not using hostscan. 

Any updates on how to integrate an off-premise solution ? We're still dependent on having NPS servers in the backend. I think a solution as big as Cisco ISE should be able to interact directly with AAD for the MFA.