CISCO ACS Windows "Logon server not available"

Jay Russell Santos · ‎07-26-2018

Hi,

We have an issue by which a first time user (on laptop) cannot login on the machine.Windows replies with "Logon server not available". As for the user with already cache credentials on the machine can.

topology wireless:

ap-->wlc-->acs-->fw-->ad

Actually, this doesn't worked on both wired and wireless.

we have Cisco 5.8 setup as follows:

When machine was turn on or user logged off. this will happen:

1. Machine authentication, using machine name to authenticate against the AD. -- once authenticated will get an ip of x.x.x.x - this range is not allowed on the fw to have access to ad.

When user logged on to the machine. this will happen:

2. User authentication, using PEAP to authenticate -- once authenticated will get an ip of y.y.y.y - this range is allowed on the fw to have access to ad

no. 2 works fine for the user with already cache credentials on the machine

no. 2 doesn't work for first time user (on the laptop) . the only time we were able to make this work was when we allowed the ip range that it gets (machine authentication) on the fw to have access on the ad.

is there any configuration on the ACS to resolve this issue? or we really need to allow the ip range which we get from machine authentication to make this work.

patoberli · ‎07-26-2018

Windows 10 or older?
Asking because Windows 7 only connects after the user has logged in, while Windows 10 can make a wireless connection before a user has logged in.

Jay Russell Santos · ‎07-26-2018

win7

patoberli · ‎07-26-2018

I think, but never realized this, you need to allow the IP range of Machine authentication the access to the AD in the case of Windows 7.