Solved: Account not permitted to log on using the current workstation

bvj197222 · ‎06-21-2012

Is this a bug in ACS 5.3.0.40.4?

We have some AD user accounts that are permitted to log onto certain computers. I am able to log onto the permitted computers with the AD-account, but the 802.1x fails and the client is unable to get a network connection. It is on the right vlan, but it can't ping default gateway and it's not set to the guest VLAN. In the ACS-log we see the error "EAP session timed out : 24441 Account not permitted to log on using the current workstation"

I verified it by testing another user. I limited the user to only log onto one certain computer. I then logged onto that computer, and soon after that I lost network connection and the same error was in the log.

This means that the 802.1x will fail if you try to limit what computers a user account can log onto in AD. Has anyone experienced this before?

JASON BOYERS · ‎07-23-2014

I know that this is two years old, but we just ran into the same problem, though with ISE 1.2. ISE and ACS MUST be added to the allowed computers list for the user. That does require that ISE or ACS be in the same domain as the users, which would be an issue for the person who started this chain. The "current workstation" in the error message "24441 Account not permitted to log on using the current workstation" refers to ACS or ISE, not the end machine, as maldehne explained above. This is because, in essence, the user is logging into ACS or ISE for the purpose of the authentication against AD. Not directly, but that's how 802.1X is working. Once ACS or ISE is added, the authentication works perfectly (as long as everything else is correct.)

View solution in original post

maldehne · ‎06-21-2012

The message "24441 Account not permitted to log on using the current workstation" means
that on the AD configuration of this user, the privileges are setup in a way that the
machine has no privileges to login into that machine.

This is something you have to look into the AD itself and nothing to do on the acs.

Usually a user can access to any machine and in this case one can go to "Active Directory
Users and Computers" and go to User's Properties.

Select the "Account" tab and then select "Log On To". Ensure that the "All Computers"
option is selected.

If these are special accounts which must have restricted access to a single workstation
then:

To perform authentications against a backend active directory server, the ACS computer
physically joins the domain and sends a Kerberos authentication request to AD sourced from
its own computer name. The reason why it does this is that it doesn't know the computer
name of your PC. Wireless EAP authentications come in with a few attributes, notably your
user name, information about the Access Point/WLC you are connecting to, and the mac
address of your client (because that's how the AP/WLC identifies you).
EAP/Radius doesn't transmit the computer account you are connecting from (unless you use
machine authentication but that is a completely separate
traffic flow/authentication process as far as ACS is concerned).

Unfortunately that's the entire basis for how ACS performs domain authentications with
Kerberos, and really a function of Kerberos in general (you MUST pass a computer account
to the AD or it will fail you and since the ACS doesn't know yours it uses its own).

Here is what you can do: 

-    use a different protocol to talk to the AD, either LDAP (which won't work with
PEAP-MSChapV2), or by proxying the radius request from ACS to IAS on the Domain via the
radius protocol.

-    Add the ACS host machine account to the logon list the user is allowed to connect to.

bvj197222 · ‎06-22-2012

I might have explained the problem poorly;

The user IS able to log onto the computer. This computer, Computer1, is in the allowed Logon-list for the useraccount in AD, and the user IS able to log onto Computer1. In the ACS I see that the computer is authenticated. Then, after approximatetly 2 minutes, the ACS says that the account is not permitted to log on using the current workstation, even though it IS ALLOWED. This is the switch-log;

Machine auth (I verified the success of the machine auth in the ACS log):
Jun 22 12:06:34.103: %AUTHMGR-5-START: Starting 'dot1x' for client (0024.e898.0fe1) on Interface Gi3/0/1 AuditSessionID AC11326500002BC327A0B07D
Jun 22 12:06:37.928: %AUTHMGR-5-START: Starting 'dot1x' for client (0024.e898.0fe1) on Interface Gi3/0/1 AuditSessionID AC11326500002BC427A0C0BD
Jun 22 12:06:38.591: %DOT1X-5-SUCCESS: Authentication successful for client (0024.e898.0fe1) on Interface Gi3/0/1 AuditSessionID AC11326500002BC427A0C0BD
Jun 22 12:06:38.591: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0024.e898.0fe1) on Interface Gi3/0/1 AuditSessionID AC11326500002BC427A0C0BD
Jun 22 12:06:39.623: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0024.e898.0fe1) on Interface Gi3/0/1 AuditSessionID AC11326500002BC427A0C0BD
Jun 22 12:10:31.677: %DOT1X-5-FAIL: Authentication failed for client (0024.e898.0fe1) on Interface Gi3/0/1 AuditSessionID AC11326500002BC427A0C0BD
Jun 22 12:10:31.677: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (0024.e898.0fe1) on Interface Gi3/0/1 AuditSessionID AC11326500002BC427A0C0BD
Jun 22 12:10:31.677: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0024.e898.0fe1) on Interface Gi3/0/1 AuditSessionID AC11326500002BC427A0C0BD
Jun 22 12:10:31.677: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (0024.e898.0fe1) on Interface Gi3/0/1 AuditSessionID AC11326500002BC427A0C0BD
Jun 22 12:26:29.519: %AUTHMGR-5-START: Starting 'dot1x' for client (0024.e898.0fe1) on Interface Gi3/0/1 AuditSessionID AC11326500002BC827B2EE39
Jun 22 12:26:47.721: %AUTHMGR-5-START: Starting 'dot1x' for client (0024.e898.0fe1) on Interface Gi3/0/1 AuditSessionID AC11326500002BC927B33658
Jun 22 12:26:56.235: %DOT1X-5-SUCCESS: Authentication successful for client (0024.e898.0fe1) on Interface Gi3/0/1 AuditSessionID AC11326500002BC927B33658
Jun 22 12:26:56.235: %AUTHMGR-7-RESULT: Authentication result 'success' from 'dot1x' for client (0024.e898.0fe1) on Interface Gi3/0/1 AuditSessionID AC11326500002BC927B33658
Jun 22 12:26:57.275: %AUTHMGR-5-SUCCESS: Authorization succeeded for client (0024.e898.0fe1) on Interface Gi3/0/1 AuditSessionID AC11326500002BC927B33658

User auth:
Jun 22 12:28:57.668: %DOT1X-5-FAIL: Authentication failed for client (0024.e898.0fe1) on Interface Gi3/0/1 AuditSessionID AC11326500002BC927B33658
Jun 22 12:28:57.676: %AUTHMGR-7-RESULT: Authentication result 'timeout' from 'dot1x' for client (0024.e898.0fe1) on Interface Gi3/0/1 AuditSessionID AC11326500002BC927B33658
Jun 22 12:28:57.676: %AUTHMGR-7-FAILOVER: Failing over from 'dot1x' for client (0024.e898.0fe1) on Interface Gi3/0/1 AuditSessionID AC11326500002BC927B33658
Jun 22 12:28:57.685: %DOT1X-5-RESULT_OVERRIDE: Authentication result overridden for client (0024.e898.0fe1) on Interface Gi3/0/1 AuditSessionID AC113265000

-> ACS reports: "24441 Account not permitted to log on using the current workstation"

I cannot add the ACS to the logon-list because it is not in the same domain as the clients. If the user wasn't allowed to log onto the computer I would get an error message from Windows right away when trying to log on, denying me the logon.

JASON BOYERS · ‎07-23-2014

I know that this is two years old, but we just ran into the same problem, though with ISE 1.2. ISE and ACS MUST be added to the allowed computers list for the user. That does require that ISE or ACS be in the same domain as the users, which would be an issue for the person who started this chain. The "current workstation" in the error message "24441 Account not permitted to log on using the current workstation" refers to ACS or ISE, not the end machine, as maldehne explained above. This is because, in essence, the user is logging into ACS or ISE for the purpose of the authentication against AD. Not directly, but that's how 802.1X is working. Once ACS or ISE is added, the authentication works perfectly (as long as everything else is correct.)