It looks like the DSS is continually forwarding the proxy request for the invalid user and each forwarded request is being handled as a new session. This eventually results in the forwarding request to fail and prevent subsequent authentication requests.
WORKAROUND:
Have the proxy forward the access request to a different DSS. The access node containing the AD Password roll out policy would be assigned to the second DSS. So for the customer that would be:
DSS1:
Enterasys NAC1
Rollout Proxy (Primary)
DSS2:
Rollout (Primary)
The IP address on 'RollOut Proxy (Primary)' would need to be changed to point to the second DSS and port 2001 open between the two DSS.
RESOLUTION:
A product defect has been submitted for this issue. It will be reviewed and a fix will be provided in the next release of the DSS component.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center