Many thanks to and Ingram for there attempted help much appreciated! The issue with smart defaults IS even IF you don't configure it and you let 'smart defaults' predefine a 'default' authorization policy, that authorization policy name will need to be called in the profile! otherwise authentication will pass but authorization will FAIL!( this is what I was experiencing) This applies to you if you are using a radius or local authentication!įor example ' aaa authorization group anyconnect-eap list 'AAA_AUTHORIZATION_NETWORK' 'IKEV2_AUTHORIZATION_POLICY'Įven if you are using a policy derived from radius you must use a 'dummy' authorization policy!Ī fully populated authorization policy example:Ĭrypto ikev2 authorization policy IKEV2_AUTHORIZATION_POLICY
When you are declaring the 'aaa authorization group anyconnect-eap list 'NAME OF YOUR AAA AUTHORIZATION NETWORK' You must FOLLOW this up with the KEv2 Authorization Policy!! Nearly all of those have 'smart defaults' that will allow you to use pre-defined configs for best practice, subsequently you don't need to even config them at all! The only two that YOU MUST config are: After nearly a week of investigation and headbanging! I finally got this resolved!