https://community.cisco.com/t5/wireless/disconnecting-from-lan-and-connect-to-wi-fi-caused-ad-lockouts/m-p/5467724#M291563 <P>I am almost sure that is a Windows Server issue.</P><P><A href="https://support.microsoft.com/en-us/topic/the-nps-server-locks-a-user-account-after-four-tries-on-a-windows-server-2008-r2-based-computer-that-performs-authentication-for-radius-clients-4c5c5b82-ce96-0233-be7a-20985795aa84" target="_blank" rel="nofollow noopener noreferrer">https://support.microsoft.com/en-us/topic/the-nps-server-locks-a-user-account-after-four-tries-on-a-windows-server-2008-r2-based-computer-that-performs-authentication-for-radius-clients-4c5c5b82-ce96-0233-be7a-20985795aa84</A></P> Fri, 10 Nov 2023 12:21:10 GMT aleabrahao 2023-11-10T12:21:10Z https://community.cisco.com/t5/wireless/disconnecting-from-lan-and-connect-to-wi-fi-caused-ad-lockouts/m-p/5467723#M291562 <P>Hi,</P><P>We are in the middle of a deployment of Cisco Meraki APs. We are migrating from Cisco WLC with radius authentication via ISE for Corporate LAN access via an SSID.</P><P>We are experiencing an issue where some users (not all) disconnect from the LAN to go to a meeting a connect to Wi-Fi. They should automatically connect the corporate LAN via an SSID. This would for about 80% of users. For about 20% of users they cannot connect to the LAN via an SSID as this locks out their AD account.</P><P>We have configured NAC on the AP port and it authenticates successfully on the network via ISE (3.1 Patch 3). The AP is also configured as a NAD on ISE. The users have an EAP-TLS for Wired Dot1x and PEAP for Wireless Dot1x. Retries for "<EM>Allow PEAP</EM>" and "<EM>Allow TEAP</EM>" for "<EM>Allow Password Change Retries</EM>" is "<EM>3</EM>".</P><P>Any ideas on what could solve these AD Lockout issues? <SPAN class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PEAP" style="width: 544px;"><span class="lia-inline-image-display-wrapper" image-alt="image.jpeg"><img src="https://community.cisco.com/t5/image/serverpage/image-id/272782i98ADB3FBF22CCBE9/image-size/large?v=v2&amp;px=999" role="button" title="image.jpeg" alt="image.jpeg" /></span><SPAN class="lia-inline-image-caption" onclick="event.preventDefault();">PEAP</SPAN></SPAN><SPAN class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="EAP-TLS" style="width: 604px;"><span class="lia-inline-image-display-wrapper" image-alt="image.jpeg"><img src="https://community.cisco.com/t5/image/serverpage/image-id/272774i8B723A9D7EE75F74/image-size/large?v=v2&amp;px=999" role="button" title="image.jpeg" alt="image.jpeg" /></span><SPAN class="lia-inline-image-caption" onclick="event.preventDefault();">EAP-TLS</SPAN></SPAN></P> Fri, 10 Nov 2023 09:37:16 GMT https://community.cisco.com/t5/wireless/disconnecting-from-lan-and-connect-to-wi-fi-caused-ad-lockouts/m-p/5467723#M291562 Anthony O'Reilly 2023-11-10T09:37:16Z https://community.cisco.com/t5/wireless/disconnecting-from-lan-and-connect-to-wi-fi-caused-ad-lockouts/m-p/5467724#M291563 <P>I am almost sure that is a Windows Server issue.</P><P><A href="https://support.microsoft.com/en-us/topic/the-nps-server-locks-a-user-account-after-four-tries-on-a-windows-server-2008-r2-based-computer-that-performs-authentication-for-radius-clients-4c5c5b82-ce96-0233-be7a-20985795aa84" target="_blank" rel="nofollow noopener noreferrer">https://support.microsoft.com/en-us/topic/the-nps-server-locks-a-user-account-after-four-tries-on-a-windows-server-2008-r2-based-computer-that-performs-authentication-for-radius-clients-4c5c5b82-ce96-0233-be7a-20985795aa84</A></P> Fri, 10 Nov 2023 12:21:10 GMT https://community.cisco.com/t5/wireless/disconnecting-from-lan-and-connect-to-wi-fi-caused-ad-lockouts/m-p/5467724#M291563 aleabrahao 2023-11-10T12:21:10Z