Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
64
Views
0
Helpful
0
Replies

ISE won't let the user login. Selected Indentity Source is DenyAccess

AndreVal
Level 1
Level 1

‎09-02-2024 02:11 AM

Hi everyone!

I'm setting up wireless BYOD with guest portal and having issues with the specific option on ISE - "Prevent active directory user lockout".

I turned this option on and tried to simulate locking out user account entering wrong password for his account.

AD settings.png

Fair enough, after 3 attempts ISE won't let me login anymore because it's locked on ISE even if I enter correct password:

Radius error.png

AD would block user in AD if badPwdCount gets to 5, so the account is still working for other services.

But now I'm having issues with unlocking the account on ISE. I tried to re-login to wired network using correct login/password to reset badPwdCount Attribute. After that I try to login to BYOD page portal and I still get the same "Selected Indentity Source is DenyAccess" like ISE doesn't care about badPwdCount at all. 

I even checked the badPwdCount counter on ISE itself using "Test User" feature on ISE and it actually shows it's zero!

test user.png

Is there a chance ISE checking some other attributes? How do I troubleshoot why ISE specifically decide to lock me?

ISE 3.3.0.181 Patch 2

0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents