cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
155
Views
1
Helpful
1
Replies

ISE won't let the user login. Selected Indentity Source is DenyAccess

AndreVal
Level 1
Level 1

Hi everyone!

I'm setting up wireless BYOD with guest portal and having issues with the specific option on ISE - "Prevent active directory user lockout".

I turned this option on and tried to simulate locking out user account entering wrong password for his account.

AD settings.png

Fair enough, after 3 attempts ISE won't let me login anymore because it's locked on ISE even if I enter correct password:

Radius error.png

AD would block user in AD if badPwdCount gets to 5, so the account is still working for other services.

But now I'm having issues with unlocking the account on ISE. I tried to re-login to wired network using correct login/password to reset badPwdCount Attribute. After that I try to login to BYOD page portal and I still get the same "Selected Indentity Source is DenyAccess" like ISE doesn't care about badPwdCount at all. 

I even checked the badPwdCount counter on ISE itself using "Test User" feature on ISE and it actually shows it's zero!

test user.png

Is there a chance ISE checking some other attributes? How do I troubleshoot why ISE specifically decide to lock me?

ISE 3.3.0.181 Patch 2

1 Reply 1

Arne Bier
VIP
VIP

Have you checked all the "Steps" in the Authentication Details pane?  It's sometimes a bit of a guessing game, but that's the first place to look.