Anyconnect Login Error When Dacl Is applied with Duo Proxy's bypassed Users

Hi team,
Our scenario is protecting Radius SSL vpn Users with cisco ISE
the Duo Auth Proxy is sitting in middle between the ISE and the cisco ASA.
on cisco ASA ssl vpn profile we have DUO auth Proxy as the AAA radius server.
everything is working good until we hit the following use cases:

  • a not defined users on the duo portal “bypassed by 2FA”

  • and a downloadable ACL is applied on the authorization profile on cisco ISE
    with this use case the users get login error on anyconnect.

  • when we delete dacl from authz profile everything is ok

knowing that pass_through_all=true is confiugred
we tested with other radius attribute and it is ok like security group tag and DHCp attriute.

After investigating with packet capture we get the following results

ASA -> duo auth proxy : access-request with user name and pass
duo-> ASA : access accept with attribute(18) val=Allowing unknown user and of cours dacl
ASA->DUO access request username filled the Dacl Attribute Value
DUO-> ASA acces reject with reason invalid username or password

please any suggestion or help
regards

I have the same issue.
Did you get any resolution?