12-11-2022 02:31 PM
Dear all,
Please help, recently we created a new SSID 802.1x and seems to be everything went well but after tested with many users I'm facing an issue like this:
And comparing with the users that could connected successfully I've found the for those user with the mentioned error in the Authentication Details the following:
DetailedInfo: Invalid username or password specified
I'm using CISCO ISE.
Please advise guys
Best Regards,
ROZA.
Solved! Go to Solution.
01-03-2023 05:56 AM
12-12-2022 05:15 AM
Is ISE successfully joined to the domain? What do you see for your Active Directory External Identity source? Do you just have a single AD environment here?
12-18-2022 01:19 PM
Dear ahollifield,
Is ISE successfully joined to the domain?
Yes, ISE is successfully joined to the domain
What do you see for your Active Directory External Identity source?
I can enter the username and password in order to check the user
Do you just have a single AD environment here?
Yes, there is only one
Do you need further details?
Really appreciated your help.
12-18-2022 03:50 PM
Hello @ROZAMX , in this procedure that you are following the ISE will appear as computer within your domain in your AD , the error that you are showing is due probably because of the user that you are using to bind the ISE with your AD is not allowed login the ISE machine . You need to ensure first that the user account you are using has the permission to log on to the computer representing ISE.
Let me know if that helped .
12-18-2022 06:39 PM
Dear Ro,
Thanks for your quickly response.
In fact there is a policy that does not allowed to use the option in AD "All Computers" only users can login in their computers to prevent multiple logins. The binding is ISE + AD: user related to hostname if the another user wants to login in another different computer won't be permitted. And of course the MAC ADD is already added on ISE and assigned to the right group and so on.
Please advise.
ROZA.
12-18-2022 07:43 PM
As the others are trying to explain, this has nothing to do with the user logging into the end computer that is trying to connect to the Wireless SSID. This error is indicating that the ISE computer account that is meant to be integrated with your Active Directory domain does not have the required permissions to query the domain for the user/computer account credentials related to the computer that is trying to join the SSID.
Please review the Active Directory Integration with Cisco ISE 2.x document for information on what permissions are required by ISE for the various AD Join operations and ensure the ISE computer accounts have the required permissions to query the domain.
You can also perform a test lookup against the end user account to determine if the response is a Success and ensure that ISE can retrieve all of the relevant Groups and Attributes as described in the 'Test Users for Active Directory Authentication' section of the same document above.
12-19-2022 11:22 AM
Rodrigo is on the correct track, if you have the user limited to specific computers to log in, the ISE nodes must also be in that list as they are doing the login also if that makes sense. The PC will log in the user, but for network access ISE will also log the user in and if ISE is not on the allowed device list for the user it will fail.
We have run into the same issue for limited account on out systems.
12-28-2022 07:05 AM
Dear all,
I really appreciate your quick response I just want to add more information since I figured out something in ISE in External Identities Sources > Active Directory > Ise Node > test user:
Please adivse,
ROZA.
12-28-2022 07:19 AM
12-30-2022 12:52 PM
Can you share some knowledge about how to configure this or some advise?
Thanks,
ROZA.
01-03-2023 05:56 AM
02-13-2024 06:10 AM
Hi
what if the Joint Point is added and operational, the AD user group added to it also, the policy condition searching the proper group, but still get that error? might be a problem in the AD Group creation&definition as "global" instead of "local" at the AD server itself?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide