Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1121
Views
11
Helpful
8
Replies

ISE - Windows account password issue

mkouame17
Level 1
Level 1

‎08-30-2018 01:56 AM

Dear Team,

 

I have an issue and I would like your help to solve it.

We have ISE 2.3 in our environnement, each time when an user change his windows account password. We have to remove ISE config on the user interface port on the switch, to allow the synchronization between the user machine and the AD. Without that the user cannot access the LAN to work correctly.

 

0 Helpful
8 Replies 8

hslai
Cisco Employee
Cisco Employee

‎08-30-2018 08:55 AM

This appears the port ACL not allowing the connections to Active Directory while the user is DOT1X authenticated. I would suggest to use WireShark or the like to check what's blocked. Below is a sample DACL used in our lab, where 10.1.100.21 is ISE and 10.1.100.10 is AD:

 

permit udp any eq bootpc any eq bootps
permit tcp any host 10.1.100.21 eq 80
permit tcp any host 10.1.100.21 eq 443
permit tcp any host 10.1.100.21 eq 8443
permit udp any host 10.1.100.10 eq domain
permit tcp any host 10.1.100.10 eq domain
permit tcp any host 10.1.100.10 eq 88
permit udp any host 10.1.100.10 eq 88
permit udp any host 10.1.100.10 eq ntp
permit tcp any host 10.1.100.10 eq 135
permit udp any host 10.1.100.10 eq netbios-ns
permit tcp any host 10.1.100.10 eq 139
permit tcp any host 10.1.100.10 eq 389
permit udp any host 10.1.100.10 eq 389
permit tcp any host 10.1.100.10 eq 445
permit tcp any host 10.1.100.10 eq 636
permit udp any host 10.1.100.10 eq 636
permit tcp any host 10.1.100.10 range 1024 65535
permit ip any any fragments
permit icmp any any

mkouame17
Level 1
Level 1
In response to hslai

‎08-30-2018 11:39 AM

Dear hslai,

 

Thank for your answer, in my case we use only permit ip any any in my ACL.

I will install Wireshark on the PC and to the capture.

I will let you know for the result.

0 Helpful

paul
Level 10
Level 10
In response to mkouame17

‎08-30-2018 02:49 PM

Are you using Windows Supplicant or NAM?  I have done many many Windows supplicant installs and never heard of this issue.  Also, you should never be taking ISE off the port.  You should be setting an ISE bypass portal up using My Devices and allowing the help desk/support personal to add MAC addresses into the system to be allowed on the network for troubleshooting/reimaging reasons.

0 Helpful

mkouame17
Level 1
Level 1
In response to paul

‎08-30-2018 07:20 PM

We are using Windows Native supplicant.

0 Helpful

hslai
Cisco Employee
Cisco Employee
In response to mkouame17

‎08-31-2018 04:46 PM - edited ‎08-31-2018 04:47 PM

Try adding this line in the ACL, then:

permit ip any any fragments

Saheedadeyanju
Level 1
Level 1

‎09-17-2023 02:00 PM - edited ‎09-17-2023 02:27 PM

ISE - Windows account password issue, and we have installed Cisco secure client on all our devices. We are having frequent window account lockouts. 

0 Helpful

Saheedadeyanju
Level 1
Level 1

‎09-17-2023 02:03 PM

Also, I have installed the Cisco secure client 5.0.5040, but the icon would appear and disappear. Please help

0 Helpful

thomas
Cisco Employee
Cisco Employee
In response to Saheedadeyanju

‎09-29-2023 04:50 PM

@Saheedadeyanju , this is a very old thread.

Please start a new thread with your specific question and you will need to provide a lot more specific details for troubleshooting. I do not understand how ISE is responsible for "frequent Window account lockouts". 

See How to Ask The Community for Help for the level of detail we need. If that is not possible, you will want to call TAC so they can go through the necessary troubleshooting steps with you.

0 Helpful
Customers Also Viewed These Support Documents