Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1113
Views
5
Helpful
6
Replies

Cisco ISE 2.2 first time login to corporate notebook

Go to solution
Sp@wn
Beginner
Beginner

‎02-08-2019 06:32 AM - edited ‎02-08-2019 06:41 AM

Hi,

 

We have ISE 2.2 patch 10.We use PAP mschapv2 dot1x user authentication. When clients try login to their new laptop coming from IT departmant they get the following error;

We can't sign you in with this credential because your domain isn't available.

How do we get over it?

 

Regards,

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sp@wn
Beginner
Beginner
In response to marce1000

‎02-08-2019 08:12 AM

ISE did not have any log when the user tried to log in. Wireless connection could not be established because there are no cached users on the PC. I created another rule for domain computers and I created authz policy for them. In the ACL, I gave just LDAP, DNS, DHCP access and I blocked the rest of everything. After that users was able to join wireless connection and they could log in the their laptop. And now they able access the network with their user permissions.

View solution in original post

6 Replies 6

Go to solution
marce1000
VIP Mentor VIP Mentor
VIP Mentor

‎02-08-2019 07:05 AM

 

 - You will probably have to verify your ise-policies. For starters check what is in the ISE auth log(s) for the corresponding authentication attempts.

M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !
0 Helpful

Go to solution
Sp@wn
Beginner
Beginner
In response to marce1000

‎02-08-2019 08:12 AM

ISE did not have any log when the user tried to log in. Wireless connection could not be established because there are no cached users on the PC. I created another rule for domain computers and I created authz policy for them. In the ACL, I gave just LDAP, DNS, DHCP access and I blocked the rest of everything. After that users was able to join wireless connection and they could log in the their laptop. And now they able access the network with their user permissions.

Go to solution
hslai
Cisco Employee
Cisco Employee
In response to Sp@wn

‎02-10-2019 08:38 AM - edited ‎02-10-2019 12:04 PM

It looks like you solved it yourself with marce1000's advice. It's correct that the computer needs AD access for an AD user able to login. Do consider the pointers from paul.

0 Helpful

Go to solution
paul
Advocate
Advocate
In response to marce1000

‎02-08-2019 11:51 AM

Why are you allowing the laptop's to go to PEAP User mode authentication?  If you are allowing Domain Users to authenticated you have a hole in your security design.  Any user can bring in any device they want and user their AD credentials to attach to the network.  If you don't have user based policies, configure only PEAP Computer Auth.  If you have user policy requirements you should look to user EAP-TLS or NAM with EAP Chaining.

0 Helpful

Go to solution
Sp@wn
Beginner
Beginner
In response to paul

‎02-10-2019 10:38 AM

We also doing posture after user logged in their computer. And one of the posture conditions is that the computer must a domain computer. Thanks your advices. I found my solution.
0 Helpful

Go to solution
zunaid.cse
Beginner
Beginner

‎02-10-2019 02:15 AM

Hi,

Can i troubleshoot your problem using remote session.

 

My Details:

Muhammad Zunaid Bhuiyan

Email: zunaid.cse@gmail.com

Mobile: +880196240005

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents