Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2036
Views
0
Helpful
3
Replies

ISE 2.3 unlocked User authentication Failed

egsuptac911
Level 1
Level 1

‎11-27-2017 07:15 AM - edited ‎02-21-2020 10:40 AM

Locked user was failed in Authentication From ISE 2.3 also After unlocked this user form AD still Failed in authentication, need to make the user success in authentication Automatically after being unlocked without restart the PC or disable and Enable the Network Card.

Labels:
0 Helpful
3 Replies 3

ajc
Level 7
Level 7

‎11-27-2017 07:57 AM - edited ‎11-27-2017 08:04 AM

There is a suppression list on ISE so you need to apply bypass suppression for the specific mac address. See next

 

 

SUPPRESION LIST.png

 

AND, you need to check your suppression list configuration and probably make it the same to the WLC/AD in terms of failed AUTHC

 

SUPPRESION LIST 1.png

 

 

0 Helpful

egsuptac911
Level 1
Level 1

‎11-28-2017 07:28 AM

I understand but the user already retry Dot1x authentication for 3 minutes and Failed also after being unlocked from AD.

My question : if we enable Global Suppression on ISE the clients will success in  Dot1x Authentication Automatically ? or will retry and exceed Detection Interval timer so will fail again?

0 Helpful

ajc
Level 7
Level 7
In response to egsuptac911

‎11-28-2017 08:05 AM - edited ‎11-28-2017 08:06 AM

When the authentication fails TWICE in a 5 minutes period the SUPPRESSION LIST is triggered to cancel repeated failed transactions BUT after 3 more failed authentications during the same period of time, your MAC is placed in that list for 5 minutes. In fact, you can keep trying and still fail until your AD account is locked. ISE basically ignores additional data from failed authentications. At some point you can unlocked your AD account but your MAC would be still in that list and therefore retrying authentication would fail. Use the Suppresion Bypass to remove the MAC from the Internal ISE suppression list so you can try to reconnect immediately.

 

However, if the enduser devices keeps sending wrong credentials after the account was unlocked, then the situation remains the same. The wireless network must be forgotten on the enduser device, AD account unlocked, wait until the suppression list timer expires (or use bypass suppression) and THEN try to reconnect.

 

Global Suppression mechanism tries to avoid overloading ISE from a misbehaving supplicant (it is similar to the EXCLUSION LIST on the WLC). It has nothing to do with the authentication process. It also reduces the amount of accounting updates generated by that anomalous supplicant.

 

Bypass Suppression actually means = remove my MAC from the suppression list immediately so I can retry to authenticate.

0 Helpful
Customers Also Viewed These Support Documents