Post ISE Installation - Error Message on PC " No Windows Login Servers available"
Dear Support Team
We are facing a strange issue.
Wired 802.1x is deployed using both machine & user authentication. All the machines are in domain.now on PCs,
user authentication & authorization is happening successfully when user logs in with his username/password.
Since user has no admin privileges, sometimes administrator has to login to install some software, here we are facing the issue.
when System admin logs in with Administrator(defined on Active Directory) username/password , user could not login and the following error message is displayed.
" No Windows Logon Servers available to process this request"
however if 802.1x configuration is removed, everything is back to normal.
here is the ACL on the switch port. (Default Access)
permit udp any eq bootpc any eq bootps permit udp any any eq domain permit udp any host 10.0.x.100 eq 8905 permit tcp any host 10.0.x.100 eq 8905 permit tcp any host 10.0.x.100 eq 8909 permit udp any host 10.0.x.100 eq 8909 permit tcp any host 10.0.x.100 eq 8443 permit ip any host 10.0.x.19 (Domain Controller 1) permit ip any host 10.0.x.21 (Domain Controller 2) permit ip any host 10.0.x.23 (Domain Controller 3) permit ip any host 10.0.x.13 (Anti Virus Server) Permit ip any host 10.0.y.72 (Remediation Server)
ACL used for redirection
IP access list extended ise-redirect deny udp any eq bootpc any eq bootps deny udp any any eq domain deny udp any host 10.0.x.100 eq 8905 (ISE) deny tcp any host 10.0.x.100 eq 8905 (ISE) deny tcp any host 10.0.x.100 eq 8909 (ISE) deny udp any host 10.0.x.100 eq 8909 (ISE) deny tcp any host 10.0.x.100 eq 8443 (ISE) deny ip any host 10.0.3.13 (AV Server) deny ip any host 10.0.3.19 (Domain Controller 1) deny ip any host 10.0.3.21 (Domain Controller 2) deny ip any host 10.0.3.23 (Domain Controller 3) deny ip any host 10.0.50.72 (Remediation Server) permit ip any any
802.1x Configuration on the switch port.
interface FastEthernet1/0/37 description MAC .2bd2 switchport access vlan 50 switchport mode access switchport voice vlan 4 ip access-group NRA in authentication event fail action next-method authentication event server dead action reinitialize vlan 50 authentication event server dead action authorize voice authentication host-mode multi-auth authentication order dot1x mab authentication priority dot1x mab authentication port-control auto authentication violation restrict mab snmp trap mac-notification change added snmp trap mac-notification change removed dot1x pae authenticator dot1x timeout tx-period 10 spanning-tree portfast end
Make sure you have SSO configured correctly on your supplicant. You need to check "Enable single sign on for this network" so that users without a cached credential on a machine will be able to login. Also, SSO needs to be allowed before logon:
We are happy to share changes to the Cisco Threat Grid support experience! Our customers have spoken, and we have listened! You want a single, streamlined, easy to access tool to open, view, and update your cases across Cisco Services. That tool is Cisco’...
Where can I find out how to integrate my Cisco products with Threat Response?
There are quick start guides and instructional videos to help you get set up with your Cisco products and the Cisco Threat Response platform.
Inviting all Security & Networking professionals! We want you to tell us what devices you use to do your work and its screen resolution. Your response will help us improve network and security management tools.
Click here to take the 5-minute s...
This guide is intended to show some nifty and powerful use cases that a lot of customers either want or don’t know they want. There are tons of other content out there for specific knobs or capabilities, but this is looking to be a more complete...