Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1260
Views
5
Helpful
6
Replies

Cisco ISE 2.2 first time login to corporate notebook

Go to solution
Sp@wn
Level 1
Level 1

‎02-08-2019 06:32 AM - edited ‎02-08-2019 06:41 AM

Hi,

 

We have ISE 2.2 patch 10.We use PAP mschapv2 dot1x user authentication. When clients try login to their new laptop coming from IT departmant they get the following error;

We can't sign you in with this credential because your domain isn't available.

How do we get over it?

 

Regards,

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sp@wn
Level 1
Level 1
In response to marce1000

‎02-08-2019 08:12 AM

ISE did not have any log when the user tried to log in. Wireless connection could not be established because there are no cached users on the PC. I created another rule for domain computers and I created authz policy for them. In the ACL, I gave just LDAP, DNS, DHCP access and I blocked the rest of everything. After that users was able to join wireless connection and they could log in the their laptop. And now they able access the network with their user permissions.

View solution in original post

6 Replies 6

Go to solution
marce1000
VIP
VIP

‎02-08-2019 07:05 AM

 

 - You will probably have to verify your ise-policies. For starters check what is in the ISE auth log(s) for the corresponding authentication attempts.

M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Go to solution
Sp@wn
Level 1
Level 1
In response to marce1000

‎02-08-2019 08:12 AM

ISE did not have any log when the user tried to log in. Wireless connection could not be established because there are no cached users on the PC. I created another rule for domain computers and I created authz policy for them. In the ACL, I gave just LDAP, DNS, DHCP access and I blocked the rest of everything. After that users was able to join wireless connection and they could log in the their laptop. And now they able access the network with their user permissions.

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Sp@wn

‎02-10-2019 08:38 AM - edited ‎02-10-2019 12:04 PM

It looks like you solved it yourself with marce1000's advice. It's correct that the computer needs AD access for an AD user able to login. Do consider the pointers from paul.

0 Helpful

Go to solution
paul
Level 10
Level 10
In response to marce1000

‎02-08-2019 11:51 AM

Why are you allowing the laptop's to go to PEAP User mode authentication?  If you are allowing Domain Users to authenticated you have a hole in your security design.  Any user can bring in any device they want and user their AD credentials to attach to the network.  If you don't have user based policies, configure only PEAP Computer Auth.  If you have user policy requirements you should look to user EAP-TLS or NAM with EAP Chaining.

0 Helpful

Go to solution
Sp@wn
Level 1
Level 1
In response to paul

‎02-10-2019 10:38 AM

We also doing posture after user logged in their computer. And one of the posture conditions is that the computer must a domain computer. Thanks your advices. I found my solution.
0 Helpful

Go to solution
zunaid.cse
Level 1
Level 1

‎02-10-2019 02:15 AM

Hi,

Can i troubleshoot your problem using remote session.

 

My Details:

Muhammad Zunaid Bhuiyan

Email: zunaid.cse@gmail.com

Mobile: +880196240005

0 Helpful
Customers Also Viewed These Support Documents