10-12-2015 11:54 PM - edited 03-10-2019 11:08 PM
Dear Support Team
We are facing a strange issue.
Wired 802.1x is deployed using both machine & user authentication. All the machines are in domain.now on PCs,
user authentication & authorization is happening successfully when user logs in with his username/password.
Since user has no admin privileges, sometimes administrator has to login to install some software, here we are facing the issue.
when System admin logs in with Administrator(defined on Active Directory) username/password , user could not login and the following error message is displayed.
" No Windows Logon Servers available to process this request"
however if 802.1x configuration is removed, everything is back to normal.
here is the ACL on the switch port. (Default Access)
permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit udp any host 10.0.x.100 eq 8905
permit tcp any host 10.0.x.100 eq 8905
permit tcp any host 10.0.x.100 eq 8909
permit udp any host 10.0.x.100 eq 8909
permit tcp any host 10.0.x.100 eq 8443
permit ip any host 10.0.x.19 (Domain Controller 1)
permit ip any host 10.0.x.21 (Domain Controller 2)
permit ip any host 10.0.x.23 (Domain Controller 3)
permit ip any host 10.0.x.13 (Anti Virus Server)
Permit ip any host 10.0.y.72 (Remediation Server)
!
ACL used for redirection
IP access list extended ise-redirect
deny udp any eq bootpc any eq bootps
deny udp any any eq domain
deny udp any host 10.0.x.100 eq 8905 (ISE)
deny tcp any host 10.0.x.100 eq 8905 (ISE)
deny tcp any host 10.0.x.100 eq 8909 (ISE)
deny udp any host 10.0.x.100 eq 8909 (ISE)
deny tcp any host 10.0.x.100 eq 8443 (ISE)
deny ip any host 10.0.3.13 (AV Server)
deny ip any host 10.0.3.19 (Domain Controller 1)
deny ip any host 10.0.3.21 (Domain Controller 2)
deny ip any host 10.0.3.23 (Domain Controller 3)
deny ip any host 10.0.50.72 (Remediation Server)
permit ip any any
!
802.1x Configuration on the switch port.
interface FastEthernet1/0/37
description MAC .2bd2
switchport access vlan 50
switchport mode access
switchport voice vlan 4
ip access-group NRA in
authentication event fail action next-method
authentication event server dead action reinitialize vlan 50
authentication event server dead action authorize voice
authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication violation restrict
mab
snmp trap mac-notification change added
snmp trap mac-notification change removed
dot1x pae authenticator
dot1x timeout tx-period 10
spanning-tree portfast
end
!
Any inputs are highly appreciated.
Thanks
Ahad
10-13-2015 07:43 AM
Ahad,
Make sure you have SSO configured correctly on your supplicant. You need to check "Enable single sign on for this network" so that users without a cached credential on a machine will be able to login. Also, SSO needs to be allowed before logon:
Tim
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide