cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
298
Views
0
Helpful
1
Replies
Highlighted
Beginner

Post ISE Installation - Error Message on PC " No Windows Login Servers available"

Dear Support Team

We are facing a strange issue.

Wired 802.1x is deployed using both machine & user authentication. All the machines are in domain.now on PCs,

user authentication & authorization is happening successfully when user logs in with his username/password. 

Since user has no admin privileges, sometimes administrator has to login to install some software, here we are facing the issue.

when System admin logs in with Administrator(defined on  Active Directory) username/password , user could not login and the following error message is displayed.

" No Windows Logon Servers available to process this request"

however if 802.1x configuration is removed, everything is back to normal.

here is the ACL on the switch port. (Default Access)

permit udp any eq bootpc any eq bootps
permit udp any any eq domain
permit udp any host 10.0.x.100 eq 8905
permit tcp any host 10.0.x.100 eq 8905
permit tcp any host 10.0.x.100 eq 8909
permit udp any host 10.0.x.100 eq 8909
permit tcp any host 10.0.x.100 eq 8443
permit ip any host 10.0.x.19 (Domain Controller 1)
permit ip any host 10.0.x.21 (Domain Controller 2)
permit ip any host 10.0.x.23 (Domain Controller 3)
permit ip any host 10.0.x.13 (Anti Virus Server)
Permit ip any host 10.0.y.72 (Remediation Server)

!

ACL used for redirection

IP access list extended ise-redirect
deny udp any eq bootpc any eq bootps
deny udp any any eq domain
deny udp any host 10.0.x.100 eq 8905 (ISE)
deny tcp any host 10.0.x.100 eq 8905 (ISE)
deny tcp any host 10.0.x.100 eq 8909 (ISE)
deny udp any host 10.0.x.100 eq 8909 (ISE)
deny tcp any host 10.0.x.100 eq 8443 (ISE)
deny ip any host 10.0.3.13 (AV Server)
deny ip any host 10.0.3.19 (Domain Controller 1)
deny ip any host 10.0.3.21 (Domain Controller 2)
deny ip any host 10.0.3.23 (Domain Controller 3)
deny ip any host 10.0.50.72 (Remediation Server)
permit ip any any

!

802.1x Configuration on the switch port.

interface FastEthernet1/0/37
 description MAC .2bd2
 switchport access vlan 50
 switchport mode access
 switchport voice vlan 4
 ip access-group NRA in
 authentication event fail action next-method
 authentication event server dead action reinitialize vlan 50
 authentication event server dead action authorize voice
 authentication host-mode multi-auth
 authentication order dot1x mab
 authentication priority dot1x mab
 authentication port-control auto
 authentication violation restrict
 mab
 snmp trap mac-notification change added
 snmp trap mac-notification change removed
 dot1x pae authenticator
 dot1x timeout tx-period 10
 spanning-tree portfast
end

!

Any inputs are highly appreciated.

Thanks

Ahad

1 REPLY 1
Beginner

Ahad,Make sure you have SSO

Ahad,

Make sure you have SSO configured correctly on your supplicant.  You need to check "Enable single sign on for this network" so that users without a cached credential on a machine will be able to login.  Also, SSO needs to be allowed before logon:

Tim