CISCO ISE ISSUE 24206 User disabled

Similar Messages

• Is it possible to map a Sponsor Group in Cisco ISE to a user group in Active Directory, through a RADIUS server?

  Hi!!
  We are working on a mapping between a Sponsor Group in Cisco ISE and a user group in Active Directory....but the client wants the mapping to be through a RADIUS SERVER, for avoiding ISE querying directly the Active Directory.
  I know it is possible to use a RADIUS SERVER as an external identity source for ISE.....but, is it possible to use this RADIUS SERVER for this sponsor group handling?
  Thanks and regards!!

  Yes It is possible to map Sponser group to user group in AD and if you want to know how to do please open the below link and go to Mapping Active Directory Groups to Sponsor Groups heading.
  http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html#wp1096365

• Cisco ISE and Fast User Switching

  Greetings,
  In our deployment, we are interested in utilizing the "Fast User Switching" that is contained within the Windows Functionality.   After searching for quite a while, I see that the native Windows supplicant is not compatible with Fast User Switching.   It does not appear that Anyconnect is either.   Can you please inform me as to what suppluicant I would need to research in order to allow for the User Switchign Functionality?
  We are currently using ISE 1.2 Patch 4.
  Thank You for any assistance.
  David

  The  NAC Agent for Cisco ISE does not support Windows Fast User Switching  when using the native supplicant. This is because there is no clear  disconnect of the older user. When a new user is sent, the Agent is hung  on the old user process and session ID, and hence a new posture cannot  take place. As per the Microsoft Security policies, it is recommended to  disable Fast User Switching.
  Source:
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_pos_pol.html

• Cisco ISE Failure: 24408 User authentication against Active Directory failed since user has entered the wrong password

  Hi,
  Since we implemented Cisco ISE we receive the following failure on several Notebooks:
  Authentication failed : 24408 User authentication against Active Directory failed since user has entered the wrong password
  This happens 2 or 3 times per Day. So basically the authentications are working. But when the failure appears, the connection is lost for a short time.
  The Clients are using PEAP(EAP-MSCHAPv2) for Authentication. We've got a Cisco Wireless Environment (WLC 5508).
  Why is this happening?
  Thanks,
  Marc

  The possible causes of this error message are:
  1.] If the end user entered an incorrect username.
  2.] The shared sceret between WLC and ISE is mismatched. With this we'll see continous failed authentication.
  3.] As long as a PSN not receiving a response from the supplicant within this limit during an EAP conversation, it will throw this error code. In majority of cases it says eap session timed out.
  In your cases, the 3rd option seems to be the most closest one.
  Jatin Katyal
  - Do rate helpful posts -

• CWA using Cisco ISE issue

  Good morning everyone,
  I have some trouble to use my Cisco ISE to do Central Web Authentication. I followed this following configuration example : http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
  But for the moment, clients can't seee the web portal. My WLC and my Cisco ISE are well configured as presented in the document, when clients connect to the AP, they are listed into the Cisco ISE with the good authorization profile but, the URL redirection doesn't work as well as I want, clients have to enter manually the IP address in the web browser to log-in trough the Cisco ISE.
  If anyone already had this problem, maybe could tell me more about that.
  Thanks in advance!

  Good news!
  I have resolved my problem 15 minutes ago. For people who have the same problem, I have just changed my static route in my WLC. The issue was that I broadcast the same VLAN used for the management interface and in adding the network allowing admin to reach service-port, all traffic of my broadcasted VLAN was sent to the service-port. A simple netmask modification resolved the problem.
  I have still a problem with CoA which doesn't work properly and I have to disconnect/reconnect to the SSID to have a complete access but I'm going to continue my research for that.
  Thanks all for your help !!!!

• Cisco ISE - Computer and User Authenticiation on AD for Wireless Clients.

  Hello all,
  I am trying to configure Cisco ISE to authenticate/authorize Wireless access with PEAP MsChapv2.
  The AD user authorization works fine, but I cannot see on the logs a challenge for the computer verification (it must be a domain member).
  I have found an attribute I would use for this action, but I cannot use it, because I don't see the challenge for the computer challenge.
  Can you explain me if this fact is involved by the ISE configuration or by the client configuration ?
  Thanks a lot for your help.
  The followings screenshots show the logs appearing in the ISE :  
  Kind regards, Emeric.

  This is a great question and I wanted to add my input and I have a question as well. My understanding in order to do both Machine and User EAP-Chaining is required, which used EAP-FAST. 
  In my testing, when a domain box is configured for computer/user authentication. When the laptop started up it will authenticate with a host/ and sid in the log.
  When the user logs in you then see the user ID.
  For my benefit when rule are you talking about ?
  Thank you 

• How Cisco ISE 1.2 Base licenses are consumed and tracks concurrent endpoint connected to network

  Hello
  I am interested to know how the cisco ISE 1.2 base licences are consumed. As the cisco ise 1.2 user guide "The Base License is consumed whenever an authentication notification is received by Cisco ISE."
  Based on the above statement i have following queries :-
  Radius being the UDP based request, its only during the time endpoint is authenticated and authorized the base license is consumed and then its is released. Then how does cisco ISE tracks the concurrent endpoints connected to the network.
  Thanks
  Kumar

  thanks for the reply Tarik.
  As I understand, you mean that a base license is consumed by every radius authentication request and then the license is free to be utilised again
  Also would this means if Radius accounting is turned off, then concurrent sessions will not be tracked.
  Thanks
  Kumar

• Cisco ISE - General Info. & capabilities

  Hello All,
  I've read quiet a bit of ISE features, but would like to know the following:
  1. Can ISE provide/track details of user activity, like which servers/websites he accessed over a period of time?
  2. Can it provide details of how much data was transferred from a particular server to a specific client?
  3. For a 1500 user env. (1000 desktops and 500 wireless devices) which model of ISE would be appropriate?
  4. How would having ISE be different from already deployed authentication services like Active Directory or built-in application authentication for solutions like Oracle ERP systems?
  5. I see ISE as being marketed primarily for wireles devices (BYOD), but how would it help for wired devices (or does it become and unecessary authentication level apart from AD, switch based 802.1x, etc)
  Thank you.
  Regards,
  Adnan

  Cisco ISE is a consolidated policy-based access control system that  incorporates a superset of features available in existing Cisco policy  platforms. Cisco ISE performs the following functions:
  •Combines authentication, authorization, accounting (AAA), posture, and profiler into one appliance
  •Provides for comprehensive guest access management for the Cisco ISE administrator, sanctioned sponsor administrators, or both
  •Enforces  endpoint compliance by providing comprehensive client provisioning  measures and assessing device posture for all endpoints that access the  network, including 802.1X environments
  •Provides support for discovery, profiling, policy-based placement, and monitoring of endpoint devices on the network
  •Enables consistent policy in centralized and distributed deployments that allows services to be delivered where they are needed
  •Employs  advanced enforcement capabilities including security group access (SGA)  through the use of security group tags (SGTs) and security group access  control lists (SGACLs)
  •Supports scalability to support a number of deployment scenarios from small office to large enterprise environments
  The following key functions of Cisco ISE enable you to manage your entire access network.
  Provide Identity-Based Network Access
  The Cisco ISE solution provides context-aware identity management in the following areas:
  •Cisco ISE determines whether users are accessing the network on an authorized, policy-compliant device.
  •Cisco ISE establishes user identity, location, and access history, which can be used for compliance and reporting.
  •Cisco  ISE assigns services based on the assigned user role, group, and  associated policy (job role, location, device type, and so on).
  •Cisco  ISE grants authenticated users with access to specific segments of the  network, or specific applications and services, or both, based on  authentication results.
  ISE 3315 can support 1500 users with appropriate license.

• Cisco ISE 1.2.1 deplyomet issue with Anyconnect and Profiling

  Hi All,
  We are running cisco ise box in 1.2.1 version wherein I am facing below issue while deployment. We are having two ISE boxes where One box act as Primary Admin,Secondary MNT and Policy Service and Second Box act as Secondary Admin,Primary MNT and Policy Service
  1) Profiling of Endpoints - HP Laster jet printer 55XX series and scanner profiling are not happing in Cisco ISE 1.2.1 wherein I have enabled below probes in ISE for profiling 
  RADIUS Probe 
  SNMP Probe                                                                                                                                                                                                                                                  SNMP Trap                                                                                                                                                                                                                                                     HTTP Prob and DNS
  2) Any-connect issue - We are using any-connect supplicant 3.0.11042 for wired and wireless user profile in windows 7 enterprises 32 bit machine
   - Yellow mark issue  -  Once authentication , posturing completed we are getting yellow mark on network  drive but still we are able to connect to network
  - Network Map Drive issue  -  Once authentication , posturing completed we are getting red cross mark on Network map drive and if we double click on that drive then its get accessible and red mark turns in to green.
  For that we have already allowed Ip level access to all domain in before logon dacl ( Machine authentication ) 
  That would be really great if any one can help me on the same.
  Thanks & Regards
  Pranav

  Hi Pablo ,
  Please find below solutions 
  Yellow mark issue  -  - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet. This Service is by default disabled on Windows XP and Widows 8.X operating system. This is only enabled by default on Windows 7 and Windows Vista operating system.
  Network Map Drive issue   - Create logon script and deploy it using group policy. Script will check full network connectivity and then map network drives
  Regards
  Pranav

• Coa issue with Cisco ISE 1.2

  Hi, i am currently implementing webauth with Cisco ISE for self register, but i am having issue coa. I was able to get non-windows machine to work but with windows i can't push out the url redirection through coa.  I have enabled debug and i can see ISE trying to push out the url redirection to the port,  however the url was not show when i issue a show authentication session interface gi 1/0/x command.  The only issue i can see from the debugging is that the interface failed authorization first then a success authorization right after.  Again, the url redirection work on non-windows machine, i have even go as far as disable dot1x supplicant on windows and it still didnt fix the issue.
  please see attachment for the debugging i had mention above.  If anyone know or had this issue before please let me know how i can resolve this.

  finally figured it out.  redirection acl was mess up. 

• Cisco ISE CWA issue

  Good Day,
  I have Cisco ISE 1.2 with Cisco 2960 NAD.
  I configured the authorization for the employee successfully, but my issue is with the guest users the link is not redirected.
  Please advise what I have put in the authentication policy default rule?? deny access ?
  And on the switch I should put the guest connect to a specific ports or I have to configure specific VLAN in the authorization profile?
  Appreciate your support,

  In your authorization policy you are giving your Wired-Guest the same result as Wired-Webauth.
  First time through you don't know he's a guest so he hits Wired-Webauth and gets redirected. Second time through, you have him in guest flow, so you know he's an authenticated guest, he hits Wired-Guest, but you send him the same permissions "Web_Auth". Create a profile that you want to give to your authenticated guests - Guest_Allowed for instance.

• Cisco ISE users self-registration Time Zone

  Hello, everyone!
  I'm configuring ISE Guest portal and I wonder why I need to choose time zone while in self-registration? Where is it used? And how can I disable this parameter from the self-registration page?

  Time profiles provide a way to give different levels of time access to different guest accounts. Sponsors must assign a time profile to a guest when creating an account, but they cannot make changes to the time profiles. However, you can customize them and specify which time profiles can be used by particular sponsor groups. Beginning with Cisco ISE 1.2 time profiles are referred to as the account duration in the Sponsor portal.
  Cisco ISE 1.2 includes these default time profiles, which replace the profiles available previously:
  DefaultFirstLoginEight—the account is available for 8 hours starting when the guest user first successfully connects to the Guest portal. This replaces the DefaultFirstLogin time profile.
  DefaultEightHours—the account is available for 8 hours starting when sponsors first create the account. This replaces the DefaultOneHour time profile.
  DefaultStartEnd—sponsors can specify dates and times on which to start and stop network access.

• Issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

  issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login

• Cisco ISE Guest Portal - DNS Issue - External Zone

  Hello,
  I have a customer that has the following sceanrio :
  In a wireless deployment and a Cisco ISE 1.1.3 deployment with CWA, when the wireless guest receives the redictect  URL  from ISE (URL to access the ISE Guest Portal), this URL is based on  the  ISE DNS name, not on its IP address; so, the PC can't resolve  this via DNS name since there is no DNS in the External zone (for guets) or by using the ISP DNS servers addresses provided  by the  DHCP server, and, so, it can't access the Guest Portal at all ;
  I know that in trying to manually code the IP address - this does not work (ie in the CWA Authorization profile, the equivalent URL redirect via the CISCO av-pair as follows :
  cisco-av-pair=url-redirect=https://10.10.10.10:8443/guestportal/gateway?sessionId=sessionIdValue&action=cwa, )
  since the sessionIdValue variable is not replaced by its real value when sent to the wireless client)
  My question is : Has this issue been addressed in version Cisco ISE 1.2 - has anyone tried it if has been addressed? If not in Cisco 1.2 - does anyone know iof this feature will become available?
  Thank-you in advance for your replies.
  Robert C.

  Robert,
  Manual assignment has been made available in ISE 1.2 release.
  M.

• Assigning IP addresses to VPN users from Cisco ISE

  Hi all,
  I would appreciate if anyone could share his experience in assigning ip addresses (not static ones, but from a pool) to VPN users. The Radius is Cisco ISE and I am trying to configure this in the Authorization Results Tab. VPN gateway is ASA 8.4.
  Thanks in advance,
  Lora

  Hi Lora,
  Try going through the following link, might be helpful.
  http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_ipep_deploy.html#wp1252535