02-11-2019 12:54 PM
Would someone please comment on the issue below. To me this sounds like an account is getting unlocked but the domain controller that ISE is authenticating to does not get updated immediately. After a few minutes, the domain controllers sync the account change, and the user can login. However, if anyone has had a similar issue, please let me know.
ISE Account is setup correctly. User's account was recently unlocked, but windows credentials were cleared and rebooted the PC. PC would not connect to the wireless network.
- Clicked "Bypass Suppression Filtering for 1 Hour". Logged user out of the PC and back in. User was able to connect to wireless network.
- Moving this ticket to the Networking Team for further review. After the Account was unlocked and credentials were cleared, the PC should have been able to reconnect to wireless network after the reboot.
- We attempted to connect to the wireless network multiple times after the account was unlocked, but I do not see those attempts in the Live Logs.
- I spoke with other Helpdesk Technicians about this issue. They have seem similar issues where a PC will not connect to wireless network after an AD Account Lock. Typical resolution has been to "Bypass Suppression Filtering for 1 Hour".
Solved! Go to Solution.
02-11-2019 01:03 PM - edited 02-11-2019 01:17 PM
Active Directory account lockout and password changes fall in to a category of replication that Microsoft refers to as critical directory updates. They should instantly be replicated across the domain controllers, but worst case should be within the 15 second urgent replication.
Cisco WLC's also have a client exclusion policy that is enabled by default. The WLC will block the client on the 6th authentication attempt after 5 previous failures. Seeing as you do not see the authentication attempts in the live logs of ISE, I would suspect that the WLC is suppressing the client authentication attempts due to client exclusion policies.
02-11-2019 01:03 PM - edited 02-11-2019 01:17 PM
Active Directory account lockout and password changes fall in to a category of replication that Microsoft refers to as critical directory updates. They should instantly be replicated across the domain controllers, but worst case should be within the 15 second urgent replication.
Cisco WLC's also have a client exclusion policy that is enabled by default. The WLC will block the client on the 6th authentication attempt after 5 previous failures. Seeing as you do not see the authentication attempts in the live logs of ISE, I would suspect that the WLC is suppressing the client authentication attempts due to client exclusion policies.
02-11-2019 01:24 PM
I learn something new every day. Thanks for the quick response. It looks like that is definitely an issue on our network. We have the default policy of 3 authentication failures, exclude the client for 60 seconds. Is there a best practice for this setting?
02-11-2019 01:54 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide