Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2096
Views
0
Helpful
4
Replies

ISE Machine/User Authentication passes but Windows login fails...

juror8
Level 1
Level 1

‎02-10-2017 02:49 PM - edited ‎03-11-2019 12:27 AM

I have a customer with a new ISE deployment.  They are running 2.1.0.474 with patches 1,2 installed.  We have both machine and user authentication configured.

  • client attempts to log into network over wireless connection (ISE shows a successful machine and user authentication)
  • client machine shows from the Windows 7 login screen that they were unable to connect to the wireless network and that no logon servers were available to process the request (which is not true since the WLC shows the connection and ISE shows the authentication)
  • if the client is then wired into a switchport (also 802.1X enforced) and tries to log in, it is successful and the user sees a desktop

Trying to figure out if there is some configuration that is missing on the client that is causing the "failed" Windows login even though from the ISE perspective, everything is successful.

2 people had this problem
Labels:
0 Helpful
4 Replies 4

juror8
Level 1
Level 1

‎02-10-2017 03:53 PM

One additional item I found was that the user authentication over wireless does work if the user's credentials are cached on the laptop.  If the user has never logged in before, the only way to get the authentication to work properly is to have them connect over wired 802.1X.

I don't assume this to be a problem with ISE but was wondering if anyone has run into this before and if I am missing a configuration on the client/supplicant.  Thanks.

0 Helpful

Rahul Govindan
VIP Alumni
VIP Alumni
In response to juror8

‎02-10-2017 06:02 PM

Are you doing machine and user auth separately or together using Anyconnect EAP chaining?

On bootup, the machine authentication happens and sends a authz result to the WLC. At this point, you should allow access to Domain Controller. When a new user needs to log in, the client needs to contact the DC on tcp and udp ports 49000 to 64000 for RPC. Do you have different authz policies for Wired and Wireless users?

0 Helpful

juror8
Level 1
Level 1
In response to Rahul Govindan

‎02-11-2017 05:09 AM

Machine and user authentication are performed separately.  We are not using EAP chaining in this environment.

The laptop while on wireless and at the Windows login screen does successfully pass a machine authentication, this can be seen through ISE.  Currently for testing purposes, the authorization policy for machine authentication is "permit any" (through an ACL configured on the WLC).

When the user enters their credentials, I also see the successful user authentication in ISE, (which also allows all traffic using the same ACL).

However the machine shows a message, "Unable to connect to <SSID>" and then another error stating, "No logon servers available."

If the user's credentials are cached in the laptop, the user is able to log in.  Again, I do not believe this to be an issue with ISE but wanted to see if anyone else has run into this phenomenon.

Our workaround for this issue is to wire the machines to a switch (that also has 802.1X enabled) and the Windows login is successful even if the users credentials are not cached on the machine.

0 Helpful

Peter Koltl
Level 7
Level 7

‎02-14-2017 04:57 AM

I have seen exactly the same SSO failure on wired 802.1X switchports but is intermittent and not easily reproduced.

0 Helpful
Customers Also Viewed These Support Documents
Top