cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2068
Views
10
Helpful
3
Replies

Computer Cannot Connect To Wireless Network - Identity Services Engine

Alex Pfeil
Level 7
Level 7

Would someone please comment on the issue below. To me this sounds like an account is getting unlocked but the domain controller that ISE is authenticating to does not get updated immediately. After a few minutes, the domain controllers sync the account change, and the user can login. However, if anyone has had a similar issue, please let me know.

ISE Account is setup correctly. User's account was recently unlocked, but windows credentials were cleared and rebooted the PC. PC would not connect to the wireless network.

- Clicked "Bypass Suppression Filtering for 1 Hour".  Logged user out of the PC and back in. User was able to connect to wireless network.

- Moving this ticket to the Networking Team for further review. After the Account was unlocked and credentials were cleared, the PC should have been able to reconnect to wireless network after the reboot.

- We attempted to connect to the wireless network multiple times after the account was unlocked, but I do not see those attempts in the Live Logs.

- I spoke with other Helpdesk Technicians about this issue. They have seem similar issues where a PC will not connect to wireless network after an AD Account Lock. Typical resolution has been to "Bypass Suppression Filtering for 1 Hour".

1 Accepted Solution

Accepted Solutions

Damien Miller
VIP Alumni
VIP Alumni

Active Directory account lockout and password changes fall in to a category of replication that Microsoft refers to as critical directory updates. They should instantly be replicated across the domain controllers, but worst case should be within the 15 second urgent replication.

Cisco WLC's also have a client exclusion policy that is enabled by default. The WLC will block the client on the 6th authentication attempt after 5 previous failures. Seeing as you do not see the authentication attempts in the live logs of ISE, I would suspect that the WLC is suppressing the client authentication attempts due to client exclusion policies.

View solution in original post

3 Replies 3

Damien Miller
VIP Alumni
VIP Alumni

Active Directory account lockout and password changes fall in to a category of replication that Microsoft refers to as critical directory updates. They should instantly be replicated across the domain controllers, but worst case should be within the 15 second urgent replication.

Cisco WLC's also have a client exclusion policy that is enabled by default. The WLC will block the client on the 6th authentication attempt after 5 previous failures. Seeing as you do not see the authentication attempts in the live logs of ISE, I would suspect that the WLC is suppressing the client authentication attempts due to client exclusion policies.

I learn something new every day. Thanks for the quick response. It looks like that is definitely an issue on our network. We have the default policy of 3 authentication failures, exclude the client for 60 seconds. Is there a best practice for this setting?

I once attended a TAC hosted Webex that talked about ISE best practices and they suggested 3 minutes. Being enabled would be the general best practice, I wouldn't worry about it being set to 1 minute, I've never seen it adjusted.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: