ISE - Machine + user authentication
I've searched forum, community but I couldn't find exactly what I need:
I have a client that want's to use two step authentication on wireless: first machine authentication to make sure that device is on the domain and then username/password authentication.
Now, I've read about MAR, EAP chaining, and I understood it all, only thing I didn't understand is:
If I configure ISE to authenticate machine, it will allow limited access to DC (for example).
Then, after that AuthZ profile is applied, what will do new authorization? My understanding is once MAR is done, AuthZ profileis applied and authorization is finished.
Now, I am not asking about turning on laptop, getting PC on the network, then logging in and then providing the user/credentials, etc. I am asking for this scenario:
How ISE policy and AuthZ profile should look like, for example, I come in the office, my wireless card is disabled, I login to my laptop, then I notice that my wireless card is disabled and now I enable it. I need to have Machine authentciation happening at that point + prompting user for username/password to complete registration on wireless.
NAM is already refused by client, so I need something that will work on plain Windows 7.
Thanks.
Hello Align-
In your post you are referring to two completely separate and independent solutions:
1. MAR
2. EAP-Chaining
MAR only happens when the machine first boots up and the host presents its machine domain credentials. Then the machine MAC address is saved in ISE. The MAC is preserved in ISE as long as configured in the machine timer. Keep in mind that if let's say a computer was booted while connected on the wired network, only that MAC address will be authenticated. If the user moves to wireless, the connection will be denied as ISE will not have any records of the wireless MAC. Along with all of that, you will need another method (usually PEAP) to perform the user authentication. Usually this method is not a very good one to implement due to the issues listed
EAP-Chaining on the other hand utilizes EAP-FAST and it s a multi-phase method during which both machine and user information is passed in a secured TLS tunnel. For that you need to implement Cisco AnyConnect as it is the only software supplicant that supports it at the moment. For more info you might wanna look into Cisco's TrustSec guide:
http://www.cisco.com/en/US/solutions/collateral/ns340/ns414/ns742/ns744/docs/howto_80_eapchaining_deployment.pdf
I hope this helps!
Thank you for rating!
Similar Messages
-
Hello,
I'm trying to do machine and user authentication using EAP-TLS and digital certificates. Machines have certificates where the Principal Username is SAN:DNS, user certificates (smartcards) use SAN:Other Name as the Principal Username.
In ISE, I can define multiple Certificate Authentication Profiles (CAP). For example CAP1 (Machine) - SAN:DNS, CAP2 (User) - SAN:Other Name
Problem is how do you specify ISE to check both in the Authentication Policy? The Identity Store Sequence only accepts one CAP, so if I created an authentication policy for Dot1x to check CAP1 -> AD -> Internal, it will match the machine cert, but fail on user cert.
Any way to resolve this?
Thanks,
SteveYou need to use the AnyConnect NAM supplicant on your windows machines, and use the feature called eap-chaining for that, windows own supplicant won't work.
an example (uses user/pass though, but same concept)
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf -
802.1x eap-tls machine + user authentication (wired)
Hi everybody,
right now we try to authenticate the machines and users which are plugged to our switches over 802.1X eap-tls. Works just fine with windows.
You plug a windows laptop to a switchport and machine authenticates over eap-tls with computer certificate. Now the user logsin and our RADIUS (Cisco ACS) authenticates the user as well, with the user certificate. After eap-tls user-authentication the RADIUS checks if the workstation on which the user is currently logged in is authenticated as well. If yes = success, if no the switchport will not allow any traffic.
Now we have to implement the same befaviour on our MacBooks Pro. Here the problems start. First of all I installed user and computer certificates issued by our CA (Win 2008 R2). So far so good. Now I have no idea how to implement the same chain of authentication. I was reading countless blogs, discussions, documentations etc. about how to create .mobileconfig profiles. Right now im able to authenticate the machine, and _only_ if I login. As soon as I logout eap-tls stops to work. It seems that loginwindow does not know how to authenticate.
1) how do I tell Mavericks to authenticate with computer certificate while no user is loged in ? already tried profiles with
<key>SetupModes</key>
<array>
<string>System</string>
<string>Loginwindow</string>
</array>
<key>PayloadScope</key>
<string>System</string>
but it does not work
2) How do I tell Mavericks to reauthenticate with user certificate when user logs in ?
ThanksUnfortunatelly this documents do not describe how to do what I want.
I already have an working 802.1x. But the mac only authenticates when the user is loged in. I have to say that even this does not work like it should. If Im loged in sometimes i need to click on "Connect" under networksettings and sometimes it connects just automatically. Thats really strange.
I set the eapolclient to debugging mode and see following in /var/log/system.log when I logout.
Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
Feb 20 18:39:09 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: [eaptls_plugin.c:189] eaptls_start(): failed to find client cert/identity, paramErr (-50)
Feb 20 18:39:22 MacBook-Pro.local eapolclient[734]: en0 EAP-TLS: authentication failed with status 1001
this are only debugging messages I get. Looks to me like eapolclient is not able to find a certificate (?)
The certificates are in my System keychain.
Unfortunatelly apple also changed the loging behaviour of eapolclient, I dont see any eapolclient.*.log under /var/log
Any ideas ? -
Windows 7 Wireless Logon - Problems with 802.1X Machine & User Authentication
Hello All,
We’ve had difficulty with our Windows 7 clients authenticating to our wireless network. I’m hoping someone out there has experienced the same thing and can offer some help.
Some info about our environment:
Single Windows 2008 R2 domain with 6 DCs
MS Radius server
Aruba wireless controllers
The Problem:
The client computer boots,
Auths as machine (802.1X successful)
User enters creds
User auth (802.1X successful)
To this point, everything is working normally. Next is where it gets weird.
During the logon process, there is another machine auth
2-5 minutes later another User auth
OS is up and usable (connected to wireless network); however, no homefolder is mapped and GPP didn’t apply properly.
From what I understand, after the user has logged in, Windows never attempts another machine authentication. When the user logs out, Windows can attempt it.
Can anyone offer some insight to what is causing this? I have logs available if anyone is interested.
Thanks in advance for any help you can offer!
Brett
-- BrettI did a network trace to gain more insight. I don’t understand why after 802.1X auth is successful on port 1, it then initiates 802.1X auth on port 2.
Can you offer any insight?
10487 3:50:19 PM 8/23/2012 63.0340126
ONEX_MicrosoftWindowsOneX ONEX_MicrosoftWindowsOneX:Port(1 (0x1)): Authentication Starting {ONEX_MicrosoftWindowsOneX:126, NetEvent:5}
10867 3:50:19 PM 8/23/2012 63.3403904
ONEX_MicrosoftWindowsOneX ONEX_MicrosoftWindowsOneX:Port(1 (0x1)): Time taken for this authentication = 281 (0x119) ms
{ONEX_MicrosoftWindowsOneX:126, NetEvent:5}
Then >>>
11718 3:50:35 PM 8/23/2012 79.3196653
ONEX_MicrosoftWindowsOneX ONEX_MicrosoftWindowsOneX:OneXDestroySupplicantPort {ONEX_MicrosoftWindowsOneX:126, NetEvent:5}
11938 3:50:36 PM 8/23/2012 80.0530315
ONEX_MicrosoftWindowsOneX ONEX_MicrosoftWindowsOneX:Finished initializing a new port with id=2 (0x2) and friendly name=Dell Wireless 1504 802.11b/g/n (2.4GHz)
{ONEX_MicrosoftWindowsOneX:126, NetEvent:5}
11959 3:50:36 PM 8/23/2012 80.0556734
ONEX_MicrosoftWindowsOneX ONEX_MicrosoftWindowsOneX:OneXStartAuthentication {ONEX_MicrosoftWindowsOneX:126,
NetEvent:5}
11964 3:50:36 PM 8/23/2012
80.0557074 svchost.exe (1036)
ONEX_MicrosoftWindowsOneX ONEX_MicrosoftWindowsOneX:Port(2 (0x2)): Starting a new 802.1X authentication (MSM initiated)
11965 3:50:36 PM 8/23/2012
80.0557333 svchost.exe (1036)
ONEX_MicrosoftWindowsOneX ONEX_MicrosoftWindowsOneX:Port(2 (0x2)): Authentication Starting
-- Brett -
ISE : Machine/user ActiveDirectory group retrieving
Hello,
We are migrating our ACS 5.1 to ISE 1.0.4.
- On ACS we were doing 802.1x Authentification over an Activedirectory, assigning Vlan according to computer/user group. In some case the user vlan could be different from the computer vlan (ex admin account connecting to a user account). This works great with ACS
I tested the same function with ISE and the behaviour is a bit different :
- When the computer boot, I can see the computer account being authenticated on ISE. The logs show the AD groups the computer belongs to and the Authorization profile is well applied according to the AD group.
- When the user login, I can see the user account being authenticated on ISE, BUT the logs show the AD groups of the previous authentication, the one belonging to the computer not the user. So the authorization profile is the one from the computer not the user.
It seems that the AD group attributes are not well updated :
- AD logs show the second authentication doesn't engage a new group parsing from AD
- Shutting down the switch port when user is logged engage a new authentication a AD group are well updated.
- Bug toolkit reference the same bug but for WLC CSCto83897 so I suspect it's present in other case.
The NAS is Catalyst 3750 12.2.58(SE2)
Thanks much for your reply.Hello,
We are migrating our ACS 5.1 to ISE 1.0.4.
- On ACS we were doing 802.1x Authentification over an Activedirectory, assigning Vlan according to computer/user group. In some case the user vlan could be different from the computer vlan (ex admin account connecting to a user account). This works great with ACS
I tested the same function with ISE and the behaviour is a bit different :
- When the computer boot, I can see the computer account being authenticated on ISE. The logs show the AD groups the computer belongs to and the Authorization profile is well applied according to the AD group.
- When the user login, I can see the user account being authenticated on ISE, BUT the logs show the AD groups of the previous authentication, the one belonging to the computer not the user. So the authorization profile is the one from the computer not the user.
It seems that the AD group attributes are not well updated :
- AD logs show the second authentication doesn't engage a new group parsing from AD
- Shutting down the switch port when user is logged engage a new authentication a AD group are well updated.
- Bug toolkit reference the same bug but for WLC CSCto83897 so I suspect it's present in other case.
The NAS is Catalyst 3750 12.2.58(SE2)
Thanks much for your reply. -
PEAP Windows Logon -Machine & User Authentication -Multiple VLANS
Windows Client <==> Access Point <==> Radius <==> Windows DC/AD
Windows OS : XP Client SP 2
Supplicant : Built-in Wireless Supplicant
Authentication : 802.1x PEAP(MS-Chapv2)
Access Point : Aironet 1200
Radius : ACS 3.3
Adaptors : Built-in
CA : Microsoft
I have a single SSID and am using a RADIUS server to assign users to different VLANs. When a computer boots up, machine authentication is used and the ACS tells the access point which VLAN to be on (i.e. VLAN1 192.168.1.x). Then when the user logs on the ACS tells the access point to switch the computer to a different VLAN (i.e. VLAN2 192.168.2.x). The problem is that the windows logon scripts do not run. Once the computer finishes booting, I quickly check its IP address and it still thinks it is on 192.168.1.x (VLAN1) when it is actually on VLAN2 and needs a 192.168.2.x address. If I give the machine time, it will eventually switch its IP to the 192.168.2.x address.
Has anyone else run across this? I assume that there is no fix and that it is a Microsoft problem. Obviously, it can't do the logon script if it does not have a valid IP for its VLAN. I also never know who will be logging into the computer to put the computer in the correct VLAN ahead of time.
Note: If the machine and user are both set to use the same VLAN, the computer does not have to switch IPs and the windows logon script works fine.
Thanks
SteveHi there.
I've tried that solution, and I had a similar problem. My problem was on the DHCP server side: there was a superscope defined with the different scopes for each VLAN. When I'd the MAC Address from one machine registered at the DHCP database, the settings were always the same. Then I deleted the superscope and only defined scopes for each VLAN. It's working fine now.
Hope this helps you.
Regards,
João -
ISE internal user authentication failure - user not found
Hi Forumers'
I trying to do wireless 802.1x, where identity store using intenral user.
But i found this error message when i trying to connect
Authentication failed :
22056 Subject not found in the applicable identity store(s)
My authrorization rules is built like this
identity groups = user identities group / " mygroup"
condition = no setting
permissions = standard / PermitAccess
Question 1
Any troubleshooting step to do on this?
Question 2
For the Authorization rules, what's the condition should set for using Internal User as Identity store?
Thanks
NoelThe error is caused to an authentication failure and is not an issue with authorization
You need to look at your authentications policy (Policy->Authentications) and see which identity store was authenticated against
In addition can do the Live Authentications page (Monitor->Authentications) and for the failing record click on the icon under details. This will give you the full details of the requets processing and you can see which rule was matched in the identity policy (Identity Policy Matched Rule) and "Selected Identity Stores". -
Machine and User authentication with ISE 1.2.1
Hi ,
Can any one tell me in machine authentication what access need to be enable DACL for machine logon?
Can we enable the access on port level ? direct to tcp/udp or ip level what is the best practice.
Thanks
Pranavis this what you are looking for EAP Chaining which uses a machine certificate or a machine username / password locked to the device through the Microsoft domain enrollment process. When the device boots, it is authenticated to the network using 802.1X. When the user logs onto the device, the session information from the machine authentication and the user credentials are sent up to the network as part of the same user authentication. The combination of the two indicates that the device belongs to the corporation and the user is an employee.
http://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone-security/howto_80_eapchaining_deployment.pdf -
ISE machine authentication timeout
Hi all,
We have a ISE infrastructure and we have enabled user and machine authentication through EAP-TLS.
Everything is working fine except that every 1 hour user must log off and login again because machine authentication has, I think, expired!
As you can imagine this is unacceptable. I saw that the machine restriction age is only 1 hour and changed it to 8 hours.
My question is if machine restarts at 7 hours past first successful authentication will the timer reset or after an hour will be kicked and have to log off and in again?
How have you bypassed the timeout of mar cache?
My ISE version is 1.2 with 2 patches installed
Thank you
Sent from Cisco Technical Support iPad AppHi
Cisco ISE contains a Machine Access Restriction (MAR) component that provides an additional means of controlling authorization for Microsoft Active Directory-authentication users. This form of authorization is based on the machine authentication of the computer used to access the Cisco ISE network. For every successful machine authentication, Cisco ISE caches the value that was received in the RADIUS Calling-Station-ID attribute (attribute 31) as evidence of a successful machine authentication.
Cisco ISE retains each Calling-Station-ID attribute value in cache until the number of hours that was configured in the "Time to Live" parameter in the Active Directory Settings page expires. Once the parameter has expired, Cisco ISE deletes it from its cache.
When a user authenticates from an end-user client, Cisco ISE searches the cache for a Calling-Station-ID value from successful machine authentications for the Calling-Station-ID value that was received in the user authentication request. If Cisco ISE finds a matching user-authentication Calling-Station-ID value in the cache, this affects how Cisco ISE assigns permissions for the user that requests authentication in the following ways:
• If the Calling-Station-ID value matches one found in the Cisco ISE cache, then the authorization profile for a successful authorization is assigned.
• If the Calling-Station-ID value is not found to match one in the Cisco ISE cache, then the authorization profile for a successful user authentication without machine authentication is assigned. -
Cisco ISE Machine failed machine authentication
Hi, last week we migrated to ISE 1.2 Patch 7 and since then we are having trouble with our corporate SSID.
We have a rule that says :
1) User is domain user.
2) Machine is authenticated.
But for some reason that I can't figure out some machine(I would say around 200/1000) can't seem to authenticate.
This is the message I found in the "steps"
24423 ISE has not been able to confirm previous successful machine authentication for user in Active Directory
I was wondering if I could force something on the controller or on ISE directly.
EDIT : In the operation > Authentication I can see that some host/MachineName are getting authenticated.
Would I be able to force this as a step in my other rule.Hi shertica, and thank you for the explanation. I started working with ISE a month ago and still getting familiarized but I think the problem is the relationship between the Machine and the user because I can't find any Host/MachineName fail in the last 24 hour and I can't seem to have any log further than that.
Failure Reason
15039 Rejected per authorization profile
Resolution
Authorization Profile with ACCESS_REJECT attribute was selected as a result of the matching authorization rule. Check the appropriate Authorization policy rule-results.
Steps
11001
Received RADIUS Access-Request
11017
RADIUS created a new session
15049
Evaluating Policy Group
15008
Evaluating Service Selection Policy
15048
Queried PIP
15048
Queried PIP
15048
Queried PIP
15004
Matched rule
11507
Extracted EAP-Response/Identity
12300
Prepared EAP-Request proposing PEAP with challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12302
Extracted EAP-Response containing PEAP challenge-response and accepting PEAP as negotiated
12318
Successfully negotiated PEAP version 0
12800
Extracted first TLS record; TLS handshake started
12805
Extracted TLS ClientHello message
12806
Prepared TLS ServerHello message
12807
Prepared TLS Certificate message
12810
Prepared TLS ServerDone message
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12318
Successfully negotiated PEAP version 0
12812
Extracted TLS ClientKeyExchange message
12804
Extracted TLS Finished message
12801
Prepared TLS ChangeCipherSpec message
12802
Prepared TLS Finished message
12816
TLS handshake succeeded
12310
PEAP full handshake finished successfully
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
12313
PEAP inner method started
11521
Prepared EAP-Request/Identity for inner EAP method
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
11522
Extracted EAP-Response/Identity for inner EAP method
11806
Prepared EAP-Request for inner method proposing EAP-MSCHAP with challenge
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
11808
Extracted EAP-Response containing EAP-MSCHAP challenge-response for inner method and accepting EAP-MSCHAP as negotiated
15041
Evaluating Identity Policy
15006
Matched Default Rule
15013
Selected Identity Source - IdentityStore_AD_liadom01
24430
Authenticating user against Active Directory
24402
User authentication against Active Directory succeeded
22037
Authentication Passed
11824
EAP-MSCHAP authentication attempt passed
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
11810
Extracted EAP-Response for inner method containing MSCHAP challenge-response
11814
Inner EAP-MSCHAP authentication succeeded
11519
Prepared EAP-Success for inner EAP method
12314
PEAP inner method finished successfully
12305
Prepared EAP-Request with another PEAP challenge
11006
Returned RADIUS Access-Challenge
11001
Received RADIUS Access-Request
11018
RADIUS is re-using an existing session
12304
Extracted EAP-Response containing PEAP challenge-response
24423
ISE has not been able to confirm previous successful machine authentication for user in Active Directory
15036
Evaluating Authorization Policy
24432
Looking up user in Active Directory - LIADOM01\lidoex
24416
User's Groups retrieval from Active Directory succeeded
15048
Queried PIP
15048
Queried PIP
15048
Queried PIP
15048
Queried PIP
15048
Queried PIP
15004
Matched rule - AuthZBlock_DOT1X
15016
Selected Authorization Profile - DenyAccess
15039
Rejected per authorization profile
12306
PEAP authentication succeeded
11503
Prepared EAP-Success
11003
Returned RADIUS Access-Reject
Edit : I found a couple of these :
Event
5400 Authentication failed
Failure Reason
24485 Machine authentication against Active Directory has failed because of wrong password
Resolution
Check if the machine is present in the Active Directory domain and if it is spelled correctly. Also check whether machine authentication is configured properly on the supplicant.
Root cause
Machine authentication against Active Directory has failed because of wrong password.
Username
host/MachineName
I also have an alarming number of : Misconfigured Supplicant Detected(3714) -
ISE; machine based dot1x authentication not working
Hi there,
I'm currently trying out dot1x authentication with MDA. The phone is currently authenticated via MAB. I succeeded to do the same with a Win7 workstation, but now I have a problem with true dot1x auth. Whenever the client tries to authenticate to the ISE it is using the notorious "host/" prefix. I read in the ACS 5.2 user guide that there is an option to crop it. I tried to find the same feature in the ISE, but it seems there is none.
I have the authentication policy configured to use a certificate authentication profile as identity source when the method is dot1x without any additional conditions.
In this profile I tried several options, including the common name, subject, subject alternative name. Nothing helped.
Does anybody have a tip on how to solve this?
Thanks in advanceIf I understood correctly I don't need to create an external identity source when using the Certificate Authentication Profile feature.
This is what I got from the documentation:
"Certificate authentication profiles are used in authentication policies for certificate-based authentications in place of identity sources to verify the authenticity of the user."
I intend to use machine based authentication without contacting an external identity source.
I also ensured the root CA certificate is selected to be used for EAP-TLS authentication.
This brings me to another question.
If the CA issuing machine or user certificates is itself an intermediate CA do I have to install a chained certificate (intermediade CA+root CA) in the ISE or both CA certificates separately?
Thanks in advance
Regards,
Patrick -
ISE machine authentication - only plug in to the network after booting
Hi experts.
I have recently deployed ISE with machine authentication.
However, when the machine is already plugged in to the switch before booting, the machine does not authenticate automatically. It isn't until I log on, using a local computer account, that 802.1X authentication occurs. Using wireshark, I have verified again that this authentication is MACHINE authentication, not user-authentication.
Is there a way to solve this problem, other than having my users unplug their computer and only plug in to the network after booting?
EricHi Vattulu,
The method of machine access restriction will be used, because there is no a plan to use anyconnect NAM on the client environment, since the prerequisite for EAP-chaining is to use anyconnect.
Regards,
Eric -
Machine +User Auth for windows endpoint autheticating through ISE
Hi
Is there any way to use machine + user auth at same time when authenticating Windows machine through ISE. In Windows native supplicant there is option as
1) Machine OR user Auth
2) User Authentication
3) Machine Authentication
4) Guest authentication
I want to give more priveledge access to endpoints where they are joined to AD domain AND the user is logged in using AD credentials.
Is there any way to achieve this functionality ...With windows you do not have the option, however with ISE 1.1.1 and the latest cisco anyconnect nam supplicant (which is free) has a feature called eap chaining, it uses eap-fast to send the authentication sequence just as you want.
Here is the reference:
ISE release notes
http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp307279
Anyconnect release notes
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/release/notes/anyconnect31rn.html#wp998871
Configuration of anyconnect -
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect31/administration/guide/ac04namconfig.html#wp1065210
Tarik Admani
*Please rate helpful posts* -
Hi,
I have a setup ISE 1.1.1. Users are getting authenticate against AD. Everything is working fine except some users report disconnection. I see in the ISE that (Authentication failed: 24415 User authentication against Active Directory failed since user's account is locked out). Users are using Windows 7 OS.
Error is enclosed & here is the port configuration.
Port Configuration.
interface GigabitEthernet0/2
switchport access vlan 120
switchport mode access
switchport voice vlan 121
authentication event fail action next-method
authentication event server dead action reinitialize vlan 120
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 60
spanning-tree portfast
ip dhcp snooping limit rate 30 interface GigabitEthernet0/2
switchport access vlan 120
switchport mode access
switchport voice vlan 121
authentication event fail action next-method
authentication event server dead action reinitialize vlan 120
authentication event server alive action reinitialize
authentication host-mode multi-auth
authentication order mab dot1x
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 60
spanning-tree portfast
ip dhcp snooping limit rate 30
Please help.The error message means that Active Directory server Reject the authentication attempt
as for some reasons the user account got locked.I guess, You should ask your AD Team to check in the AD
Event Logs why did the user account got locked.
Under Even Viewers, You can find it out
Regards
Minakshi (Do rate the helpful posts) -
Hi,
Since we implemented Cisco ISE we receive the following failure on several Notebooks:
Authentication failed : 24408 User authentication against Active Directory failed since user has entered the wrong password
This happens 2 or 3 times per Day. So basically the authentications are working. But when the failure appears, the connection is lost for a short time.
The Clients are using PEAP(EAP-MSCHAPv2) for Authentication. We've got a Cisco Wireless Environment (WLC 5508).
Why is this happening?
Thanks,
MarcThe possible causes of this error message are:
1.] If the end user entered an incorrect username.
2.] The shared sceret between WLC and ISE is mismatched. With this we'll see continous failed authentication.
3.] As long as a PSN not receiving a response from the supplicant within this limit during an EAP conversation, it will throw this error code. In majority of cases it says eap session timed out.
In your cases, the 3rd option seems to be the most closest one.
Jatin Katyal
- Do rate helpful posts -
Maybe you are looking for
-
How can I keep the dock in view at all times?
The dock hides and then re-appears every few minutes. I can chase it and bring it up, but i want it in sight at all times.
-
Error while importing tables from oracle database
Hi I am getting the following error when i am trying to import table from oracle database. my operating system is windows and my database is oracle. [nQSError: 16001]ODBC error state: IM004 code:0 message: [Microsoft][ODBC Driver Manager] Driver`s SQ
-
Dv6-6077er doesn't play video in games
Hello there. I have installed some games and none of them play the introduction video. Installed K-lite codec already. Do not know what to do.
-
The New Flash Player Is Downloading Flash 9.0
I have downloaded Flash Player 10.1 & the link is downloading 9.0. Why hasn't anyone fixed this problem in the link?
-
After restarting server BI Publisher is not started automatically
Hi all, I am new in BI Publisher and have a problem. When I installed BI everything works OK. So I have logged on Publisher URL, authentication was successful and etc. After restarting the server (I have Oracle DB and Publisher in one server, but in