Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2956
Views
6
Helpful
11
Replies

24441 ISE machine account is not permitted to log on

Go to solution
ROZAMX
Spotlight
Spotlight

‎12-11-2022 02:31 PM

Dear all,

Please help, recently we created a new SSID 802.1x and seems to be everything went well but after tested with many users I'm facing an issue like this:

  • 24441 ISE machine account is not permitted to log on

And comparing with the users that could connected successfully I've found the for those user with the mentioned error in the Authentication Details the following:

DetailedInfo: Invalid username or password specified

I'm using CISCO ISE.

Please advise guys

Best Regards, 

ROZA.

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions
11 Replies 11

Go to solution
ahollifield
VIP
VIP

‎12-12-2022 05:15 AM

Is ISE successfully joined to the domain?  What do you see for your Active Directory External Identity source?  Do you just have a single AD environment here?

0 Helpful

Go to solution
ROZAMX
Spotlight
Spotlight
In response to ahollifield

‎12-18-2022 01:19 PM

Dear ahollifield,

Is ISE successfully joined to the domain?

Yes, ISE is successfully joined to the domain

What do you see for your Active Directory External Identity source?

I can enter the username and password in order to check the user

Do you just have a single AD environment here?

Yes, there is only one

Do you need further details?

Really appreciated your help.

0 Helpful

Go to solution
Rodrigo Diaz
Cisco Employee
Cisco Employee

‎12-18-2022 03:50 PM

Hello @ROZAMX  , in this procedure that you are following the ISE will appear as computer within your domain in your AD , the error that you are  showing  is due probably because of the user that you are using to bind the ISE with your AD is not allowed login the ISE machine . You need to ensure first that the user account you are using has the permission to log on to the computer representing ISE. 

Let me know if that helped . 

0 Helpful

Go to solution
ROZAMX
Spotlight
Spotlight
In response to Rodrigo Diaz

‎12-18-2022 06:39 PM

Dear Ro,

Thanks for your quickly response.

In fact there is a policy that does not allowed to use the option in AD "All Computers" only users can login in their computers to prevent multiple logins. The binding is ISE + AD: user related to hostname if the another user wants to login in another different computer won't be permitted. And of course the MAC ADD is already added on ISE and assigned to the right group and so on.

Please advise.

ROZA.

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to ROZAMX

‎12-18-2022 07:43 PM

As the others are trying to explain, this has nothing to do with the user logging into the end computer that is trying to connect to the Wireless SSID. This error is indicating that the ISE computer account that is meant to be integrated with your Active Directory domain does not have the required permissions to query the domain for the user/computer account credentials related to the computer that is trying to join the SSID.
Please review the Active Directory Integration with Cisco ISE 2.x document for information on what permissions are required by ISE for the various AD Join operations and ensure the ISE computer accounts have the required permissions to query the domain.

You can also perform a test lookup against the end user account to determine if the response is a Success and ensure that ISE can retrieve all of the relevant Groups and Attributes as described in the 'Test Users for Active Directory Authentication' section of the same document above.

 

Go to solution
Dustin Anderson
VIP
VIP

‎12-19-2022 11:22 AM

Rodrigo is on the correct track, if you have the user limited to specific computers to log in, the ISE nodes must also be in that list as they are doing the login also if that makes sense. The PC will log in the user, but for network access ISE will also log the user in and if ISE is not on the allowed device list for the user it will fail.

We have run into the same issue for limited account on out systems.

0 Helpful

Go to solution
ROZAMX
Spotlight
Spotlight

‎12-28-2022 07:05 AM

Dear all, 

I really appreciate your quick response I just want to add more information since I figured out something in ISE in External Identities Sources > Active Directory > Ise Node > test user:

ROZAMX_0-1672239879798.png

Please adivse,

ROZA.

 

 

0 Helpful

Go to solution
ahollifield
VIP
VIP
In response to ROZAMX

‎12-28-2022 07:19 AM

Looks like the ISE node is not joined to the domain.

Go to solution
ROZAMX
Spotlight
Spotlight
In response to ahollifield

‎12-30-2022 12:52 PM

Can you share some knowledge about how to configure this or some advise?

Thanks,

ROZA.

0 Helpful

Go to solution
alex bertran
Level 1
Level 1
In response to ahollifield

‎02-13-2024 06:10 AM

Hi

what if the Joint Point is added and operational, the AD user group added to it also, the policy condition searching the proper group, but still get that error?  might be a problem in the AD Group creation&definition as "global" instead of "local" at the AD server itself?

0 Helpful
Customers Also Viewed These Support Documents