Cisco Bug: CSCuq19789 - ISE fails to reliably match Radius:service-type eq authorize-only
Jun 09, 2016
- Cisco Identity Services Engine
Known Affected Releases
Symptom: VPN users are sometimes not able to pass traffic after a successful VPN connection. The IPEP logs show the error "No enforceable Acl in Authorize AccessAccept: Drop request and block traffic for <session>" Conditions: 1. VPN users are authenticated against ISE and VPN traffic goes through an Inline posture node (IPN/IPEP). 2. There is a authorization policy specifically for the IPEP authz profile, which is trying to match the attribute RADIUS:SERVICE-TYPE = AUTHORIZE-ONLY. Consequently there are separate authorization policies for the authentication part of it.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases