01-22-2024 03:28 AM
Ise has policy which prevent blocking in AD
22017 Selected Identity Source is DenyAccess - because of Number of bad password attempts for AD instance is higher than the configuration in Active Directory, Skipping the AD authentication.
Can we manually clean time period after client resolve problem? (forget ssid to try again with right username and pass)?
01-22-2024 06:33 AM
reduce the reject time from 60 to be 15 and check
MHM
01-22-2024 06:44 AM
Yes I know it will help (but reducing not recommended), but maybe it has special link to see database with rejected endpoints by feature "continue rejecting requests" as wlc dynamic rejection where we can delete excluded endpoint manually
01-22-2024 06:52 AM
client failed to auth for specific attempt
the ISE reject it
WLC detect this reject and add client to excluded list for specific time
after that the WLC remove the client from list and client can try again auth
here I think the excluded list in wlc must longer than auto reject of ISE no more short to ensure that client can auth again via ISE
MHM
01-22-2024 07:02 AM
ise prevent blocking clients in the AD and when it happens I can see it in live log ise. So in the wlc database for excluding clients I can't see this client (which was blocking by ise). And maybe I can see it in the ise?
01-22-2024 07:04 AM
did you enable the excluded list under WLAN ?
MHM
01-22-2024 07:06 AM
Of course
01-22-2024 07:12 AM
OK go to excluded list policy and select all option
I dont know if ISE return timeout or failure for auto reject client
MHM
01-22-2024 10:05 PM
My environment has config for excluding, but I think I'm not able to see it in WLC because of ISE has own database for excluding
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide