cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1053
Views
0
Helpful
4
Replies

client logon issue ( ISE )

cyrus82
Level 1
Level 1

Hi

 

we implemented ISE 2.4 along with proxy server.

 

we've noticed that if a new user is trying to logon to windows he got an error message "there are currently no logon servers available to service the logon request".

 

the cached user can logon after a while.

 

we are using Azure hybrid mode ( local Domain with Azure AD )

 

we configured ISE  to allow access to the IP of local AD. but since we are using SSO the client has to authenticate in azure AD as well.

 

users configured with proxy only can logon without any problem.

 

any idea how to resolve this issue. ?

 

2 Accepted Solutions

Accepted Solutions

Arne Bier
VIP
VIP

Hi @cyrus82 

 

When you say proxy I assume you are referring to the web proxy for end clients, and not the proxy configured in ISE?

If so, then this is an IP troubleshooting issue on the clients. Once ISE (or any RADIUS server) authenticates and authorizes the client, the client will be allowed access to the switch/WLC etc. Client gets IP address via DHCP or static IP. But what happens next has nothing to do with ISE. If a client needs to talk to the internet and your organisation uses a proxy, then you need to understand how the proxy is being configured on clients.

Either it's manual (e.g. IP address and port of proxy) or automatic (e.g. wpad discovery using DNS). It might be that your WPAD is being blocked. Check whether you are using WPAD. You need to allow WPAD DNS resolution (via regular DNS) and then you also need to allow the downloading of the .XML WPAD file. Perhaps this is getting blocked?

 

Wireshark is probably your best bet to see what happens after the client gets an IP address. Use Wireshark to see what happens next.

 

View solution in original post

Hi @cyrus82 

 

Do you mean you want to use AzureAD as an external identity source during ISE Authentication?  The answer is no. ISE doesn't support AzureAD as an external identity source. There is potential for doing a Secure LDAP integration to AzureAD, but that would not support EAP-MSChapv2 authentications.

 

View solution in original post

4 Replies 4

Arne Bier
VIP
VIP

Hi @cyrus82 

 

When you say proxy I assume you are referring to the web proxy for end clients, and not the proxy configured in ISE?

If so, then this is an IP troubleshooting issue on the clients. Once ISE (or any RADIUS server) authenticates and authorizes the client, the client will be allowed access to the switch/WLC etc. Client gets IP address via DHCP or static IP. But what happens next has nothing to do with ISE. If a client needs to talk to the internet and your organisation uses a proxy, then you need to understand how the proxy is being configured on clients.

Either it's manual (e.g. IP address and port of proxy) or automatic (e.g. wpad discovery using DNS). It might be that your WPAD is being blocked. Check whether you are using WPAD. You need to allow WPAD DNS resolution (via regular DNS) and then you also need to allow the downloading of the .XML WPAD file. Perhaps this is getting blocked?

 

Wireshark is probably your best bet to see what happens after the client gets an IP address. Use Wireshark to see what happens next.

 

Hi @Arne Bier 

 

Thank you for your reply.

 

actually we are using Proxy appliance. However, when we disable NAM in the client side we didn't face any issue with windows logon. the traffic is passing through the proxy.

 

As per Microsoft , clients needs to reach Azure AD ( cloud) in the per-authentication in order to authenticate . therefore, we added Azure AD links in proxy whitelist . and it was successful.

 

but when we implemented ISE in our network we start facing logon issue again.

 

is there any way to allow client can reach Azure AD which is located in the cloud in the per-authentication ?

 

 

Thanks

 

 

Hi @cyrus82 

 

Do you mean you want to use AzureAD as an external identity source during ISE Authentication?  The answer is no. ISE doesn't support AzureAD as an external identity source. There is potential for doing a Secure LDAP integration to AzureAD, but that would not support EAP-MSChapv2 authentications.

 

Please make sure to reach out and provide http://cs.co/ise-feedback
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: