cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

135
Views
10
Helpful
3
Replies
Highlighted
Contributor

Computer Cannot Connect To Wireless Network - Identity Services Engine

Would someone please comment on the issue below. To me this sounds like an account is getting unlocked but the domain controller that ISE is authenticating to does not get updated immediately. After a few minutes, the domain controllers sync the account change, and the user can login. However, if anyone has had a similar issue, please let me know.

ISE Account is setup correctly. User's account was recently unlocked, but windows credentials were cleared and rebooted the PC. PC would not connect to the wireless network.

- Clicked "Bypass Suppression Filtering for 1 Hour".  Logged user out of the PC and back in. User was able to connect to wireless network.

- Moving this ticket to the Networking Team for further review. After the Account was unlocked and credentials were cleared, the PC should have been able to reconnect to wireless network after the reboot.

- We attempted to connect to the wireless network multiple times after the account was unlocked, but I do not see those attempts in the Live Logs.

- I spoke with other Helpdesk Technicians about this issue. They have seem similar issues where a PC will not connect to wireless network after an AD Account Lock. Typical resolution has been to "Bypass Suppression Filtering for 1 Hour".

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Engager

Re: Computer Cannot Connect To Wireless Network - Identity Services Engine

Active Directory account lockout and password changes fall in to a category of replication that Microsoft refers to as critical directory updates. They should instantly be replicated across the domain controllers, but worst case should be within the 15 second urgent replication.

Cisco WLC's also have a client exclusion policy that is enabled by default. The WLC will block the client on the 6th authentication attempt after 5 previous failures. Seeing as you do not see the authentication attempts in the live logs of ISE, I would suspect that the WLC is suppressing the client authentication attempts due to client exclusion policies.

3 REPLIES 3
VIP Engager

Re: Computer Cannot Connect To Wireless Network - Identity Services Engine

Active Directory account lockout and password changes fall in to a category of replication that Microsoft refers to as critical directory updates. They should instantly be replicated across the domain controllers, but worst case should be within the 15 second urgent replication.

Cisco WLC's also have a client exclusion policy that is enabled by default. The WLC will block the client on the 6th authentication attempt after 5 previous failures. Seeing as you do not see the authentication attempts in the live logs of ISE, I would suspect that the WLC is suppressing the client authentication attempts due to client exclusion policies.

Contributor

Re: Computer Cannot Connect To Wireless Network - Identity Services Engine

I learn something new every day. Thanks for the quick response. It looks like that is definitely an issue on our network. We have the default policy of 3 authentication failures, exclude the client for 60 seconds. Is there a best practice for this setting?

VIP Engager

Re: Computer Cannot Connect To Wireless Network - Identity Services Engine

I once attended a TAC hosted Webex that talked about ISE best practices and they suggested 3 minutes. Being enabled would be the general best practice, I wouldn't worry about it being set to 1 minute, I've never seen it adjusted.