Wow. Been trying to figure this out for over a week. Bruno's separate FTP class-map put first in line above the usual HTTP class-map on the In-Out policy-map did the trick on our ISR 8200's. Thanks.
We got it figured out. In addition to adding a password to the isakmp authorization list, we had to change the aaa new-model section and add a group statement for authorization network pointing to the RADIUS server declaration. We already had this in...
We just upgraded our 4331 IOS Router to IOS-XE 16.9.4 and now have the same issue. We setup a password and this fixed our Site2Site VPNs (non-RADIUS) but our Cisco VPN Clients use RADIUS via Microsoft NPS\AD and these login connections are still fail...