CISCO ISE ISSUE 24206 User disabled
Hi there,
We have here an issue with Cisco ISE. When I create a guest account with the sponsor portal We can´t access the Wlan. On tne Cisco ISE Operations \ Authentications returns the error message Event "Authentication" Faulure Reason "24206 User Disabled" Auth Method "PAP_ASCII" Authentication Protocol "PAP_ASCII"
In order to fix this issue, what can I do? I don´t understand why because I can create the user withou error message.
At the sponsor portal the user that I have created doens´t show at the list...
Any help??
Regards
Adriano
Select the affected account and click Reinstate.
It is possible, that your sponsor account does not have the permission to Reinstate/Suspend accounts. Check/change this in your ISE admin page:
- Go to Administration > Guest Management > Sponsor Groups.
- Click the Sponsor Group your sponsor account is a member of to edit.
- Select tab Authorization Levels: view/modify the permission listed for the option Suspend/reinstate Accounts.
ref: https://supportforums.cisco.com/discussion/11431386/ise-guest-user-problem
Similar Messages
-
Hi!!
We are working on a mapping between a Sponsor Group in Cisco ISE and a user group in Active Directory....but the client wants the mapping to be through a RADIUS SERVER, for avoiding ISE querying directly the Active Directory.
I know it is possible to use a RADIUS SERVER as an external identity source for ISE.....but, is it possible to use this RADIUS SERVER for this sponsor group handling?
Thanks and regards!!Yes It is possible to map Sponser group to user group in AD and if you want to know how to do please open the below link and go to Mapping Active Directory Groups to Sponsor Groups heading.
http://www.cisco.com/en/US/docs/security/ise/1.0/user_guide/ise10_guest_pol.html#wp1096365 -
Cisco ISE and Fast User Switching
Greetings,
In our deployment, we are interested in utilizing the "Fast User Switching" that is contained within the Windows Functionality. After searching for quite a while, I see that the native Windows supplicant is not compatible with Fast User Switching. It does not appear that Anyconnect is either. Can you please inform me as to what suppluicant I would need to research in order to allow for the User Switchign Functionality?
We are currently using ISE 1.2 Patch 4.
Thank You for any assistance.
DavidThe NAC Agent for Cisco ISE does not support Windows Fast User Switching when using the native supplicant. This is because there is no clear disconnect of the older user. When a new user is sent, the Agent is hung on the old user process and session ID, and hence a new posture cannot take place. As per the Microsoft Security policies, it is recommended to disable Fast User Switching.
Source:
http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_pos_pol.html -
Hi,
Since we implemented Cisco ISE we receive the following failure on several Notebooks:
Authentication failed : 24408 User authentication against Active Directory failed since user has entered the wrong password
This happens 2 or 3 times per Day. So basically the authentications are working. But when the failure appears, the connection is lost for a short time.
The Clients are using PEAP(EAP-MSCHAPv2) for Authentication. We've got a Cisco Wireless Environment (WLC 5508).
Why is this happening?
Thanks,
MarcThe possible causes of this error message are:
1.] If the end user entered an incorrect username.
2.] The shared sceret between WLC and ISE is mismatched. With this we'll see continous failed authentication.
3.] As long as a PSN not receiving a response from the supplicant within this limit during an EAP conversation, it will throw this error code. In majority of cases it says eap session timed out.
In your cases, the 3rd option seems to be the most closest one.
Jatin Katyal
- Do rate helpful posts - -
Good morning everyone,
I have some trouble to use my Cisco ISE to do Central Web Authentication. I followed this following configuration example : http://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/116087-configure-cwa-wlc-ise-00.html
But for the moment, clients can't seee the web portal. My WLC and my Cisco ISE are well configured as presented in the document, when clients connect to the AP, they are listed into the Cisco ISE with the good authorization profile but, the URL redirection doesn't work as well as I want, clients have to enter manually the IP address in the web browser to log-in trough the Cisco ISE.
If anyone already had this problem, maybe could tell me more about that.
Thanks in advance!Good news!
I have resolved my problem 15 minutes ago. For people who have the same problem, I have just changed my static route in my WLC. The issue was that I broadcast the same VLAN used for the management interface and in adding the network allowing admin to reach service-port, all traffic of my broadcasted VLAN was sent to the service-port. A simple netmask modification resolved the problem.
I have still a problem with CoA which doesn't work properly and I have to disconnect/reconnect to the SSID to have a complete access but I'm going to continue my research for that.
Thanks all for your help !!!! -
Cisco ISE - Computer and User Authenticiation on AD for Wireless Clients.
Hello all,
I am trying to configure Cisco ISE to authenticate/authorize Wireless access with PEAP MsChapv2.
The AD user authorization works fine, but I cannot see on the logs a challenge for the computer verification (it must be a domain member).
I have found an attribute I would use for this action, but I cannot use it, because I don't see the challenge for the computer challenge.
Can you explain me if this fact is involved by the ISE configuration or by the client configuration ?
Thanks a lot for your help.
The followings screenshots show the logs appearing in the ISE :
Kind regards, Emeric.This is a great question and I wanted to add my input and I have a question as well. My understanding in order to do both Machine and User EAP-Chaining is required, which used EAP-FAST.
In my testing, when a domain box is configured for computer/user authentication. When the laptop started up it will authenticate with a host/ and sid in the log.
When the user logs in you then see the user ID.
For my benefit when rule are you talking about ?
Thank you -
Hello
I am interested to know how the cisco ISE 1.2 base licences are consumed. As the cisco ise 1.2 user guide "The Base License is consumed whenever an authentication notification is received by Cisco ISE."
Based on the above statement i have following queries :-
Radius being the UDP based request, its only during the time endpoint is authenticated and authorized the base license is consumed and then its is released. Then how does cisco ISE tracks the concurrent endpoints connected to the network.
Thanks
Kumarthanks for the reply Tarik.
As I understand, you mean that a base license is consumed by every radius authentication request and then the license is free to be utilised again
Also would this means if Radius accounting is turned off, then concurrent sessions will not be tracked.
Thanks
Kumar -
Cisco ISE - General Info. & capabilities
Hello All,
I've read quiet a bit of ISE features, but would like to know the following:
1. Can ISE provide/track details of user activity, like which servers/websites he accessed over a period of time?
2. Can it provide details of how much data was transferred from a particular server to a specific client?
3. For a 1500 user env. (1000 desktops and 500 wireless devices) which model of ISE would be appropriate?
4. How would having ISE be different from already deployed authentication services like Active Directory or built-in application authentication for solutions like Oracle ERP systems?
5. I see ISE as being marketed primarily for wireles devices (BYOD), but how would it help for wired devices (or does it become and unecessary authentication level apart from AD, switch based 802.1x, etc)
Thank you.
Regards,
AdnanCisco ISE is a consolidated policy-based access control system that incorporates a superset of features available in existing Cisco policy platforms. Cisco ISE performs the following functions:
•Combines authentication, authorization, accounting (AAA), posture, and profiler into one appliance
•Provides for comprehensive guest access management for the Cisco ISE administrator, sanctioned sponsor administrators, or both
•Enforces endpoint compliance by providing comprehensive client provisioning measures and assessing device posture for all endpoints that access the network, including 802.1X environments
•Provides support for discovery, profiling, policy-based placement, and monitoring of endpoint devices on the network
•Enables consistent policy in centralized and distributed deployments that allows services to be delivered where they are needed
•Employs advanced enforcement capabilities including security group access (SGA) through the use of security group tags (SGTs) and security group access control lists (SGACLs)
•Supports scalability to support a number of deployment scenarios from small office to large enterprise environments
The following key functions of Cisco ISE enable you to manage your entire access network.
Provide Identity-Based Network Access
The Cisco ISE solution provides context-aware identity management in the following areas:
•Cisco ISE determines whether users are accessing the network on an authorized, policy-compliant device.
•Cisco ISE establishes user identity, location, and access history, which can be used for compliance and reporting.
•Cisco ISE assigns services based on the assigned user role, group, and associated policy (job role, location, device type, and so on).
•Cisco ISE grants authenticated users with access to specific segments of the network, or specific applications and services, or both, based on authentication results.
ISE 3315 can support 1500 users with appropriate license. -
Cisco ISE 1.2.1 deplyomet issue with Anyconnect and Profiling
Hi All,
We are running cisco ise box in 1.2.1 version wherein I am facing below issue while deployment. We are having two ISE boxes where One box act as Primary Admin,Secondary MNT and Policy Service and Second Box act as Secondary Admin,Primary MNT and Policy Service
1) Profiling of Endpoints - HP Laster jet printer 55XX series and scanner profiling are not happing in Cisco ISE 1.2.1 wherein I have enabled below probes in ISE for profiling
RADIUS Probe
SNMP Probe SNMP Trap HTTP Prob and DNS
2) Any-connect issue - We are using any-connect supplicant 3.0.11042 for wired and wireless user profile in windows 7 enterprises 32 bit machine
- Yellow mark issue - Once authentication , posturing completed we are getting yellow mark on network drive but still we are able to connect to network
- Network Map Drive issue - Once authentication , posturing completed we are getting red cross mark on Network map drive and if we double click on that drive then its get accessible and red mark turns in to green.
For that we have already allowed Ip level access to all domain in before logon dacl ( Machine authentication )
That would be really great if any one can help me on the same.
Thanks & Regards
PranavHi Pablo ,
Please find below solutions
Yellow mark issue - - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet. This Service is by default disabled on Windows XP and Widows 8.X operating system. This is only enabled by default on Windows 7 and Windows Vista operating system.
Network Map Drive issue - Create logon script and deploy it using group policy. Script will check full network connectivity and then map network drives
Regards
Pranav -
Coa issue with Cisco ISE 1.2
Hi, i am currently implementing webauth with Cisco ISE for self register, but i am having issue coa. I was able to get non-windows machine to work but with windows i can't push out the url redirection through coa. I have enabled debug and i can see ISE trying to push out the url redirection to the port, however the url was not show when i issue a show authentication session interface gi 1/0/x command. The only issue i can see from the debugging is that the interface failed authorization first then a success authorization right after. Again, the url redirection work on non-windows machine, i have even go as far as disable dot1x supplicant on windows and it still didnt fix the issue.
please see attachment for the debugging i had mention above. If anyone know or had this issue before please let me know how i can resolve this.finally figured it out. redirection acl was mess up.
-
Good Day,
I have Cisco ISE 1.2 with Cisco 2960 NAD.
I configured the authorization for the employee successfully, but my issue is with the guest users the link is not redirected.
Please advise what I have put in the authentication policy default rule?? deny access ?
And on the switch I should put the guest connect to a specific ports or I have to configure specific VLAN in the authorization profile?
Appreciate your support,In your authorization policy you are giving your Wired-Guest the same result as Wired-Webauth.
First time through you don't know he's a guest so he hits Wired-Webauth and gets redirected. Second time through, you have him in guest flow, so you know he's an authenticated guest, he hits Wired-Guest, but you send him the same permissions "Web_Auth". Create a profile that you want to give to your authenticated guests - Guest_Allowed for instance. -
Cisco ISE users self-registration Time Zone
Hello, everyone!
I'm configuring ISE Guest portal and I wonder why I need to choose time zone while in self-registration? Where is it used? And how can I disable this parameter from the self-registration page?Time profiles provide a way to give different levels of time access to different guest accounts. Sponsors must assign a time profile to a guest when creating an account, but they cannot make changes to the time profiles. However, you can customize them and specify which time profiles can be used by particular sponsor groups. Beginning with Cisco ISE 1.2 time profiles are referred to as the account duration in the Sponsor portal.
Cisco ISE 1.2 includes these default time profiles, which replace the profiles available previously:
DefaultFirstLoginEight—the account is available for 8 hours starting when the guest user first successfully connects to the Guest portal. This replaces the DefaultFirstLogin time profile.
DefaultEightHours—the account is available for 8 hours starting when sponsors first create the account. This replaces the DefaultOneHour time profile.
DefaultStartEnd—sponsors can specify dates and times on which to start and stop network access. -
issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login
issue with cisco acs 4.2.Users unable to login aaa client but after restarting group policy able to login
-
Cisco ISE Guest Portal - DNS Issue - External Zone
Hello,
I have a customer that has the following sceanrio :
In a wireless deployment and a Cisco ISE 1.1.3 deployment with CWA, when the wireless guest receives the redictect URL from ISE (URL to access the ISE Guest Portal), this URL is based on the ISE DNS name, not on its IP address; so, the PC can't resolve this via DNS name since there is no DNS in the External zone (for guets) or by using the ISP DNS servers addresses provided by the DHCP server, and, so, it can't access the Guest Portal at all ;
I know that in trying to manually code the IP address - this does not work (ie in the CWA Authorization profile, the equivalent URL redirect via the CISCO av-pair as follows :
cisco-av-pair=url-redirect=https://10.10.10.10:8443/guestportal/gateway?sessionId=sessionIdValue&action=cwa, )
since the sessionIdValue variable is not replaced by its real value when sent to the wireless client)
My question is : Has this issue been addressed in version Cisco ISE 1.2 - has anyone tried it if has been addressed? If not in Cisco 1.2 - does anyone know iof this feature will become available?
Thank-you in advance for your replies.
Robert C.Robert,
Manual assignment has been made available in ISE 1.2 release.
M. -
Assigning IP addresses to VPN users from Cisco ISE
Hi all,
I would appreciate if anyone could share his experience in assigning ip addresses (not static ones, but from a pool) to VPN users. The Radius is Cisco ISE and I am trying to configure this in the Authorization Results Tab. VPN gateway is ASA 8.4.
Thanks in advance,
LoraHi Lora,
Try going through the following link, might be helpful.
http://www.cisco.com/en/US/docs/security/ise/1.2/user_guide/ise_ipep_deploy.html#wp1252535
Maybe you are looking for
-
I bought a new Ipad and backup all my info form ym old one to my itunes. I set it up but now for soem reason by icloud on my new ipad is set up an old apple ID account I have never used. After answering security questions I was able to reset my passw
-
How to restrict more than one popup window
Hello All, Is it possible to have only one pop up window at a time? My problem is: From parent window, I can use a link to open a pop up window. Now I have to restrict the user not to have more than one pop up window at a time. Kindly suggest any sol
-
Error message in trying to use local content in Adobe Community Help of Flash Builder
Hi, I have set my Adobe Community Help application preferences of Flash Builder to 'Display local content only'.to Yes. I also disabled my internet connection to use local help content only. I get the following error message when trying to access any
-
Basically any iDevice I plug into my PC lowers the volume of all active applications to about 10% no matter its previous level. I've tested this with several iDevices and they all act in the same manner. I've reinstalled iTunes and tested this out on
-
Fan runs constantly (not my printer)
Hi, I've had this problem for a while and it's really getting to me. The fan on my black MacBook (purchased April 2007 and treated very well) runs constantly. Not upon startup, but as soon as I open Firefox it's going until I shut down. I've read abo