Also, I was able to login to the offending user and was able to delete those sessions. I could delete user connections if I was logged in to switch with the same user.
Remove the Layer 3 security. This as long as the auth servers are setup, the redirect will go directly to the them to authenticate. (ISE splash page).
TAC did that for me and now i get the splash page.
Non standard passive ftp.access-list FTP-LIST extended permit tcp any any range 10021 10022access-list FTP-LIST extended permit tcp any any range 50000 50019class-map FTP-CLASS match access-list FTP-LISTpolicy-map global_policyclass FTP-CLASS inspec...