AD GPO: Under GPO account lockout policy there are two settings. One is 'Failures prior to automatic rejection' which is the criteria to ignore any future authentication request from the endpoint, and 'Continue rejecting requests for' controls how long to ignore request for. ISE: Under Administration > System > Settings > Protocols > RADIUS there are two settings. This controls how long the switch will wait after the 3 tries (Or 2 after modification) that was set by 'd ot1x max-reauth-req'. Another setting is 'dot1x timeout quiet-period'. You can reduce 'dot1x max-reauth-req' to 1 to reduce total tries to 2. So this is why you are seeing total of 3 failures which causes lockout. Default is 2, which equates to 3 tries in total. One is 'dot1x max-reauth-req' which controls how many retries will be done after initial failure. Switch: There are two timers you can play around with on the interface. Since you rarely have control over the endpoints (Aside from the GPO) let me list out options that can control the experience: Reason: Authentication was not successful because an unknown user name or incorrect password was used.There are 4 main components here endpoint, switch, ISE, and AD. Proxy Policy Name: Cisco devices policy - v1Īuthentication Server: Network Policy Server denied access to a user.Ĭontact the Network Policy Server administrator for more information.įully Qualified Account Name: I have verified the password is inserted correct by typing it in the username part as a test (so that I can see the characters that I type). The account becomes locked after a while, which tells me that the correct in AD is identified, but the password beign tried on the account is not identical to what I enter when I try to log on. I have tried the account in AD dial-in properties with 'Allow access' and 'Control with NPS Network Policy'. The account is also not locked out and does not have any options such as 'change at next logon'. I am 100% sure that the username and password is correct. My problem is that I get 'Authentication was not successful because an unknown user name or incorrect password was used' in the event logs. I have read several guides on the internet including some posts here at EE - no resolution. I trying to get my Cisco catalyst switches (2960G) to use MS NPS as a RADIUS server so that AD accounts can be used to log into and manage the device.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |