Unable to login via Wireless Client

kknuckles · ‎03-08-2013

I have a wireless network infrastructure that is controlled by two WLC 5508s, Prime NCS and ISE. I have two networks for my users, an employee network and a student network. I started publishing the information for these networks via a group policy and the settings are identical, with the exception to the SSID.

My employees can logon to the employee network with no problems. I can walk up to any laptop, regardless if I have logged on to it before or not, and logon with no issues. ISE correctly profiles my account and authorizes me for the right profile. My students however are another story. Laptops that are designated for student use have the wireless network in their network list, and at the logon it shows that it will attempt to connect to the STUDENTS network. When I enter in a student username and password, it begins to login but then gives an error that says:

'There are currently no logon servers available to process the logon request'

The students cannot login at all. I can use my domain admin or my account and login to one of the units with no problem, even if I haven't logged onto the unit before with that account.

I don't know if this is an ISE issue or some other type of issue. I'm leaning towards ISE being the issue, since its what is passing authentication through to the domain. I have my students all in groups and I have those groups added to ISE, just like I have my employees added.

Any thoughts or ideas?

Scott Fella · ‎03-08-2013

Please take a look at the logs on ISE. That will tell you where the user is failing and maybe it is your policies. If you don't see any logs come in for that user then we can take a look at the WLC configuration.

Sent from Cisco Technical Support iPhone App

-Scott
*** Please rate helpful posts ***

chris_day · ‎03-08-2013

I agree with Scott check your ISE logs. See what policy they are hitting to be allowed or denied. Also check authentication policy to make sure your not using the called-station-id to select your identity store. I've done this many times and its going to be easy to figure out if you can see the policy they are hitting.

Sent from Cisco Technical Support iPhone App

ajc · ‎05-11-2016

I have valid certificates installed in our Surface Pro running Win 8.1 and HP devices running Win 7 which are connected to our 802.1x SSID (EAP-TLS) and I am getting the same error message

'There are currently no logon servers available to service the logon request'

Sometimes it takes up to 1 hour so they automatically connect.

I have not seen any L2 AUTHC failure on ISE even though the user selects the proper SSID and as I mentioned above after several minutes he can connect.

thanks

chris_day · ‎05-11-2016

Can you clear the counters on your radius servers in the WLC menu. Attempt your login and then check and see what counters increment. Make sure your radius servers are selected in the WLAN's AAA settings, if they are not in the WLAN make sure you have network authentication selected on the radius servers in the WLC. You should be able to see from the counters if you are timing out, getting an access reject, or other message back from ISE. We want to make sure you are hitting the ISE as well. Under the AAA settings make sure you do not set the radius auth override setting, all auth traffic should be coming from the management ip address of the WLC. If you select the radius auth override then auth request will come from the dynamic interface that is servicing that WLAN.