To do a quick test change your default policy to accept and see if the client connects. If it does then you know there is an error in your policy.
A common issue is that you have in your rules a role or enforcement condition that is EQUALS and most likely it needs to be contains. Especially if it's an ad group membership.
If its Equals then it needs to be the full ad group name
If its contains then it can be the simple name.
See example below