cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2113
Views
0
Helpful
1
Replies

Issue with AD users restricted to certain machines.

ryan.lambert
Level 1
Level 1

Hi all,

So, we seem to have a bit of an issue with user accounts that are restricted to logging in to certain machines only. While the user is permitted to log in to the machine (Windows lets them), our ISE server denies the login and the trace looks like this:

                 

24430 Authenticating user against Active Directory

24441 Account not permitted to log on using the current workstation

22057 The advanced option that is configured for a failed authentication request is used

22061 The 'Reject' advanced option is configured in case of a failed authentication request

11823 EAP-MSCHAP authentication attempt failed

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

5411 No response received during 120 seconds on last EAP message sent to the client

Has anyone seen this?

Version 1.1.1.268.

Thanks!

-Ryan

1 Reply 1

ryan.lambert
Level 1
Level 1

Well, as soon as I posted this, the idea hit me.

We added the two ISE servers' machine accounts in AD to the machines that this user is permitted to log in to, and it works like a charm now. Apparently when a user logs in, ISE passes through a generic machine name (of itself) to AD, and it wasn't matching the list of allowed machines.