Is this a bug in ACS 184.108.40.206.4?
We have some AD user accounts that are permitted to log onto certain computers. I am able to log onto the permitted computers with the AD-account, but the 802.1x fails and the client is unable to get a network connection. It is on the right vlan, but it can't ping default gateway and it's not set to the guest VLAN. In the ACS-log we see the error "EAP session timed out : 24441 Account not permitted to log on using the current workstation"
I verified it by testing another user. I limited the user to only log onto one certain computer. I then logged onto that computer, and soon after that I lost network connection and the same error was in the log.
This means that the 802.1x will fail if you try to limit what computers a user account can log onto in AD. Has anyone experienced this before?
I know that this is two years old, but we just ran into the same problem, though with ISE 1.2. ISE and ACS MUST be added to the allowed computers list for the user. That does require that ISE or ACS be in the same domain as the users, which would be an issue for the person who started this chain. The "current workstation" in the error message "24441 Account not permitted to log on using the current workstation" refers to ACS or ISE, not the end machine, as maldehne explained above. This is because, in essence, the user is logging into ACS or ISE for the purpose of the authentication against AD. Not directly, but that's how 802.1X is working. Once ACS or ISE is added, the authentication works perfectly (as long as everything else is correct.)