10-20-2019 01:31 AM
Hi
we implemented ISE 2.4 along with proxy server.
we've noticed that if a new user is trying to logon to windows he got an error message "there are currently no logon servers available to service the logon request".
the cached user can logon after a while.
we are using Azure hybrid mode ( local Domain with Azure AD )
we configured ISE to allow access to the IP of local AD. but since we are using SSO the client has to authenticate in azure AD as well.
users configured with proxy only can logon without any problem.
any idea how to resolve this issue. ?
Solved! Go to Solution.
10-21-2019 10:19 PM
Hi @cyrus82
When you say proxy I assume you are referring to the web proxy for end clients, and not the proxy configured in ISE?
If so, then this is an IP troubleshooting issue on the clients. Once ISE (or any RADIUS server) authenticates and authorizes the client, the client will be allowed access to the switch/WLC etc. Client gets IP address via DHCP or static IP. But what happens next has nothing to do with ISE. If a client needs to talk to the internet and your organisation uses a proxy, then you need to understand how the proxy is being configured on clients.
Either it's manual (e.g. IP address and port of proxy) or automatic (e.g. wpad discovery using DNS). It might be that your WPAD is being blocked. Check whether you are using WPAD. You need to allow WPAD DNS resolution (via regular DNS) and then you also need to allow the downloading of the .XML WPAD file. Perhaps this is getting blocked?
Wireshark is probably your best bet to see what happens after the client gets an IP address. Use Wireshark to see what happens next.
10-22-2019 11:10 PM
Hi @cyrus82
Do you mean you want to use AzureAD as an external identity source during ISE Authentication? The answer is no. ISE doesn't support AzureAD as an external identity source. There is potential for doing a Secure LDAP integration to AzureAD, but that would not support EAP-MSChapv2 authentications.
10-21-2019 10:19 PM
Hi @cyrus82
When you say proxy I assume you are referring to the web proxy for end clients, and not the proxy configured in ISE?
If so, then this is an IP troubleshooting issue on the clients. Once ISE (or any RADIUS server) authenticates and authorizes the client, the client will be allowed access to the switch/WLC etc. Client gets IP address via DHCP or static IP. But what happens next has nothing to do with ISE. If a client needs to talk to the internet and your organisation uses a proxy, then you need to understand how the proxy is being configured on clients.
Either it's manual (e.g. IP address and port of proxy) or automatic (e.g. wpad discovery using DNS). It might be that your WPAD is being blocked. Check whether you are using WPAD. You need to allow WPAD DNS resolution (via regular DNS) and then you also need to allow the downloading of the .XML WPAD file. Perhaps this is getting blocked?
Wireshark is probably your best bet to see what happens after the client gets an IP address. Use Wireshark to see what happens next.
10-22-2019 09:59 PM
Hi @Arne Bier
Thank you for your reply.
actually we are using Proxy appliance. However, when we disable NAM in the client side we didn't face any issue with windows logon. the traffic is passing through the proxy.
As per Microsoft , clients needs to reach Azure AD ( cloud) in the per-authentication in order to authenticate . therefore, we added Azure AD links in proxy whitelist . and it was successful.
but when we implemented ISE in our network we start facing logon issue again.
is there any way to allow client can reach Azure AD which is located in the cloud in the per-authentication ?
Thanks
10-22-2019 11:10 PM
Hi @cyrus82
Do you mean you want to use AzureAD as an external identity source during ISE Authentication? The answer is no. ISE doesn't support AzureAD as an external identity source. There is potential for doing a Secure LDAP integration to AzureAD, but that would not support EAP-MSChapv2 authentications.
10-23-2019 12:02 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide