Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1784
Views
0
Helpful
1
Replies

Issue with AD users restricted to certain machines.

ryan.lambert
Beginner
Beginner

‎04-05-2013 01:22 PM - edited ‎03-10-2019 08:16 PM

Hi all,

So, we seem to have a bit of an issue with user accounts that are restricted to logging in to certain machines only. While the user is permitted to log in to the machine (Windows lets them), our ISE server denies the login and the trace looks like this:

                 

24430 Authenticating user against Active Directory

24441 Account not permitted to log on using the current workstation

22057 The advanced option that is configured for a failed authentication request is used

22061 The 'Reject' advanced option is configured in case of a failed authentication request

11823 EAP-MSCHAP authentication attempt failed

12305 Prepared EAP-Request with another PEAP challenge

11006 Returned RADIUS Access-Challenge

5411 No response received during 120 seconds on last EAP message sent to the client

Has anyone seen this?

Version 1.1.1.268.

Thanks!

-Ryan

Labels:
0 Helpful
1 Reply 1

ryan.lambert
Beginner
Beginner

‎04-05-2013 01:27 PM

Well, as soon as I posted this, the idea hit me.

We added the two ISE servers' machine accounts in AD to the machines that this user is permitted to log in to, and it works like a charm now. Apparently when a user logs in, ISE passes through a generic machine name (of itself) to AD, and it wasn't matching the list of allowed machines.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers
Spotlight Award Nomination
Customers Also Viewed These Support Documents