Disconnecting from LAN and connect to Wi-Fi caused AD lockouts

fasttony77
Comes here often

Disconnecting from LAN and connect to Wi-Fi caused AD lockouts

Hi,

 

We are in the middle of a deployment of Cisco Meraki APs. We are migrating from Cisco WLC with radius authentication via ISE for Corporate LAN access via an SSID.

 

We are experiencing an issue where some users (not all) disconnect from the LAN to go to a meeting a connect to Wi-Fi. They should automatically connect the corporate LAN via an SSID. This would for about 80% of users. For about 20% of users they cannot connect to the LAN via an SSID as this locks out their AD account.

 

We have configured NAC on the AP port and it authenticates successfully on the network via ISE (3.1 Patch 3). The AP is also configured as a NAD on ISE. The users have an EAP-TLS for Wired Dot1x and PEAP for Wireless Dot1x. Retries for "Allow PEAP" and "Allow TEAP" for "Allow Password Change Retries" is "3".

 

Any ideas on what could solve these AD Lockout issues? PEAPPEAPEAP-TLSEAP-TLS

1 Reply 1
alemabrahao
Kind of a big deal
Kind of a big deal

I am almost sure that is a Windows Server issue.

 

https://support.microsoft.com/en-us/topic/the-nps-server-locks-a-user-account-after-four-tries-on-a-...

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels