cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
295
Views
0
Helpful
4
Replies
Beginner

client logon issue ( ISE )

Hi

 

we implemented ISE 2.4 along with proxy server.

 

we've noticed that if a new user is trying to logon to windows he got an error message "there are currently no logon servers available to service the logon request".

 

the cached user can logon after a while.

 

we are using Azure hybrid mode ( local Domain with Azure AD )

 

we configured ISE  to allow access to the IP of local AD. but since we are using SSO the client has to authenticate in azure AD as well.

 

users configured with proxy only can logon without any problem.

 

any idea how to resolve this issue. ?

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
VIP Advocate

Re: client logon issue ( ISE )

Hi @cyrus82 

 

When you say proxy I assume you are referring to the web proxy for end clients, and not the proxy configured in ISE?

If so, then this is an IP troubleshooting issue on the clients. Once ISE (or any RADIUS server) authenticates and authorizes the client, the client will be allowed access to the switch/WLC etc. Client gets IP address via DHCP or static IP. But what happens next has nothing to do with ISE. If a client needs to talk to the internet and your organisation uses a proxy, then you need to understand how the proxy is being configured on clients.

Either it's manual (e.g. IP address and port of proxy) or automatic (e.g. wpad discovery using DNS). It might be that your WPAD is being blocked. Check whether you are using WPAD. You need to allow WPAD DNS resolution (via regular DNS) and then you also need to allow the downloading of the .XML WPAD file. Perhaps this is getting blocked?

 

Wireshark is probably your best bet to see what happens after the client gets an IP address. Use Wireshark to see what happens next.

 

View solution in original post

VIP Advocate

Re: client logon issue ( ISE )

Hi @cyrus82 

 

Do you mean you want to use AzureAD as an external identity source during ISE Authentication?  The answer is no. ISE doesn't support AzureAD as an external identity source. There is potential for doing a Secure LDAP integration to AzureAD, but that would not support EAP-MSChapv2 authentications.

 

View solution in original post

4 REPLIES 4
Highlighted
VIP Advocate

Re: client logon issue ( ISE )

Hi @cyrus82 

 

When you say proxy I assume you are referring to the web proxy for end clients, and not the proxy configured in ISE?

If so, then this is an IP troubleshooting issue on the clients. Once ISE (or any RADIUS server) authenticates and authorizes the client, the client will be allowed access to the switch/WLC etc. Client gets IP address via DHCP or static IP. But what happens next has nothing to do with ISE. If a client needs to talk to the internet and your organisation uses a proxy, then you need to understand how the proxy is being configured on clients.

Either it's manual (e.g. IP address and port of proxy) or automatic (e.g. wpad discovery using DNS). It might be that your WPAD is being blocked. Check whether you are using WPAD. You need to allow WPAD DNS resolution (via regular DNS) and then you also need to allow the downloading of the .XML WPAD file. Perhaps this is getting blocked?

 

Wireshark is probably your best bet to see what happens after the client gets an IP address. Use Wireshark to see what happens next.

 

View solution in original post

Beginner

Re: client logon issue ( ISE )

Hi @Arne Bier 

 

Thank you for your reply.

 

actually we are using Proxy appliance. However, when we disable NAM in the client side we didn't face any issue with windows logon. the traffic is passing through the proxy.

 

As per Microsoft , clients needs to reach Azure AD ( cloud) in the per-authentication in order to authenticate . therefore, we added Azure AD links in proxy whitelist . and it was successful.

 

but when we implemented ISE in our network we start facing logon issue again.

 

is there any way to allow client can reach Azure AD which is located in the cloud in the per-authentication ?

 

 

Thanks

 

 

VIP Advocate

Re: client logon issue ( ISE )

Hi @cyrus82 

 

Do you mean you want to use AzureAD as an external identity source during ISE Authentication?  The answer is no. ISE doesn't support AzureAD as an external identity source. There is potential for doing a Secure LDAP integration to AzureAD, but that would not support EAP-MSChapv2 authentications.

 

View solution in original post

Cisco Employee

Re: client logon issue ( ISE )

Please make sure to reach out and provide http://cs.co/ise-feedback