Solved: CISCO ISE Domain Account locked out frequently

Granit · ‎11-20-2018

Dears,

From Cisco ISE I join the domain with my domain account. Recently I change the pwd and from Wednesday 14.11.'18 my domain account is locked out frequently every 6-8-10 to 30 minutes.

I un-join the domain from CISCO ISE but my account still continue to lock out.

When I check in DC logs with EventCode=4740 it says

Account That Was Locked Out: Security ID: DDD\xxx Account Name: xxx

Additional Information: Caller Computer Name: CISCO-ISE

I have difficult to manage this situation.

2.4.0.357

ISE-VM-K9

V01

Could anyone face with this issue?!

Regards,

Granit

Timothy Abbott · ‎11-20-2018

Since you removed the join to AD from ISE and your account continues to lock out tells me that something other than ISE is locking out your domain account.

Regards,

-Tim

View solution in original post

Timothy Abbott · ‎11-20-2018

Since you removed the join to AD from ISE and your account continues to lock out tells me that something other than ISE is locking out your domain account.

Regards,

-Tim

Granit · ‎11-20-2018

Thanks for replay Tim.

I named ISE with CISCO-ISE and when I check logs from Domain Controllers it says that Caller Computer Name: CISCO-ISE locked your account.

I do not have any other correlation with this name except ISE.

Regards,

Graniti

paul · ‎11-20-2018

Unless you checked the box to have ISE remember your username/password when you joined (you shouldn't have) then your credentials are stored. ISE locking of AD accounts is not an ISE issue, it is a byproduct of ISE doing authentication against AD. Say for example your mobile phone is connecting to a wireless SSID with your AD credentials and you forgot to change your password on the phone when you changed your AD password. Your AD account will get locked because your phone is continually trying to connect to that SSID. The AD logs will say locked because of ISE, but ISE is just doing its job and authenticating credentials against AD.

Granit · ‎11-22-2018

Thanks for replay Paul.

I managed to open a service account and I join AD with this SA.

Until now my domain account isn't lock :) but we must change pwd for SA at least once per 6 month and in ISE we do not have any option how to do that. I didn't test with MSA.

paul · ‎11-26-2018

As I said in my previous post the account you use to join ISE to AD is not used or stored unless you check the box to store the credentials (which I never do) and have Passive ID enabled. When you join ISE to AD it creates computer accounts in AD which is how it interacts with AD. There is no need for the service account for normal AD functions. If you enable Passive ID an account is needed to do WMI queries to the domain controllers.

carlos.perez1 · ‎08-29-2019

Hi Experts
I have the same problem.
Some users who authenticate to an SSID with 802.1x their domain user accounts are blocked after 3 attempts, which is strange, check ISE logs and detect that you try 3 times to log in incorrectly and your account is locked.

The Network Administrator has to enter the AD and unlock the domain user account, ISE acts only in passing for 802.1x authentication. via Wireless

The strange thing is only with some users, this does not affect everyone.

Anyone know what may be happening.

Use ISE 2.0.0.306 and Active Directory with WS2008

I will appreciate your support

Regards.

Carlos P.