Re: Users not able to login after password reset

dgaikwad · ‎07-13-2021

Hi Experts,
We have the following deployment:
NAM - EAP-FAST using EAP-GTC, user authentication, authentication done from LDAP directory.
ISE version 2.7
AnyConnect 4.6
Posture service is also being used.
Configured the following ACL
Extended IP access list CISCO-CWA-URL-REDIRECT-ACL
deny udp any eq bootpc any eq bootps
deny udp any any eq domain
deny udp any host <ISE Server> eq 8905
deny tcp any host <ISE Server> eq 8905
deny tcp any host <ISE Server> eq 8443
deny ip any host <LDAP Server>
deny ip any host <LDAP Server>
deny ip any host <LDAP Server>
permit ip any host 72.163.1.80
permit ip any any

Issue:
User password is reset from LDAP directory, and when the user tries to login using this new password, he gets an error saying that the "Domain not available".

As always, when dot1x config is removed from the port, the user is able to login with the new password...

I was also thinking that if the permit ip any any could be causing the issue and remove it from the statement, would make any sense?

Any suggestions?

saxenanitesh8522 · ‎07-19-2021

Hi,

what is your default policy? the above policy cwa_url_redirect is mostly used for posture redirection.

dgaikwad · ‎07-19-2021

The default policy has a deny access authorization profile attached to it.
And would adding a pre-auth ACL make any difference here?

saxenanitesh8522 · ‎07-24-2021

Hi,

you need to push a dacl on computer authentication authorization policy to allow the traffic to the AD and other services for the user to authenticate.

dgaikwad · ‎07-25-2021

Here, the config is as follows, EAP-FAST with EAP-GTC and using only user authentication using NAM.
Will this be possible using the above idea?

saxenanitesh8522 · ‎07-25-2021

what is your default dacl if you are not using computer authentication?

dgaikwad · ‎07-25-2021

The default DACL is a deny all.
So, if I apply DACL along with just the use auth being used from NAM, will that also work?

saxenanitesh8522 · ‎07-25-2021

that is your problem how will the machine contact your AD to login if you have not given permission in the default acl as this would be there also, the ip address and dhcp, dns all the services need to be allowed to have access to get the PC on boarded to the network.

If you are doing user authentication, the dot1x policy DACL will get applied after successful user login so you need to allow that.

dgaikwad · ‎07-27-2021

As suggested I did change the deny policy and pushed in a DACL to allow for LDAP servers to be reachable.
The other additional inform that I missed out on this was that all the interfaces in open authentication.

and what I observed is that, post password change, ISE is able to see the auth success and then applied the authorization profile as well for posture check. But the Windows endpoint pops up saying that the domain is not reachable.
To troubleshoot this further, I just pushed a DALC containing nothing but permit any any. Still the endpoint tells me that domain is unavailable and does not allow the user to login at all.

The only way I can allow the user to login is by removing dot1x configuration from the interface and login with the new password and put back dot1x config on the interface, till next time the user changes the password.