https://community.cisco.com/t5/network-access-control/windows-authentication/m-p/1285069#M348709 <HTML><HEAD></HEAD><BODY><P>Yes, it belongs to multiple groups in AD, but for the moment the whole AD setup is offline, but still users enter via the group 0.</P></BODY></HTML> Wed, 26 Aug 2009 06:15:39 GMT lni1 2009-08-26T06:15:39Z https://community.cisco.com/t5/network-access-control/windows-authentication/m-p/1285062#M348660 <P>We are trying to authenticate against a AD group, instead of authenticating with AD it gives the following message and places the users in the default group, any ideas ?</P><P></P><P>RDS 08/10/2009 23:54:03 P 0786 3192 0x0 Found local user MSNET\ibis5471</P><P>RDS 08/10/2009 23:54:03 E 5800 3192 0x0 Failed to get group info about user:MSNET\ibis5471 - CSAuth client has passed userID with invalid id info</P> Sun, 10 Mar 2019 23:38:24 GMT https://community.cisco.com/t5/network-access-control/windows-authentication/m-p/1285062#M348660 lni1 2019-03-10T23:38:24Z https://community.cisco.com/t5/network-access-control/windows-authentication/m-p/1285063#M348663 <HTML><HEAD></HEAD><BODY><P>It is a known issue that ACS does look ups based on the outer id instead of the inner id when the outer identity is a username. For whatever reason, when the outer identity is anonymous, ACS correctly does its lookups based on the inner identity.</P><P>It is entirely possible this is why fast-reconnect also fails. I saw the following entries in the RDS.log that correspond to the reported fast-reconnect error in the Failed Attempts log.</P></BODY></HTML> Mon, 17 Aug 2009 23:26:06 GMT https://community.cisco.com/t5/network-access-control/windows-authentication/m-p/1285063#M348663 mchin345 2009-08-17T23:26:06Z https://community.cisco.com/t5/network-access-control/windows-authentication/m-p/1285064#M348665 <HTML><HEAD></HEAD><BODY><P>It is normal ACS behavior for AD users to show up in the local users database once they have authenticated. This is a caching feature that is enabled by default(and can be disabled).</P><P></P><P>Are users being allowed access, but these messages are showing up in the logs?</P></BODY></HTML> Wed, 19 Aug 2009 15:09:14 GMT https://community.cisco.com/t5/network-access-control/windows-authentication/m-p/1285064#M348665 Robert.N.Barrett_2 2009-08-19T15:09:14Z https://community.cisco.com/t5/network-access-control/windows-authentication/m-p/1285065#M348667 <HTML><HEAD></HEAD><BODY><P>I disabled the whole setup to Windows AD, </P><P>so the authentication should fail, still the authentication for the devices are valid, they are in the default group (0).</P><P>The default group (0) is off limits for everybody, but still these users enter via this group, how is this possible ? </P></BODY></HTML> Fri, 21 Aug 2009 05:33:54 GMT https://community.cisco.com/t5/network-access-control/windows-authentication/m-p/1285065#M348667 lni1 2009-08-21T05:33:54Z https://community.cisco.com/t5/network-access-control/windows-authentication/m-p/1285066#M348668 <HTML><HEAD></HEAD><BODY><P>You can create a mapping and map default group with no access group.</P></BODY></HTML> Fri, 21 Aug 2009 08:28:41 GMT https://community.cisco.com/t5/network-access-control/windows-authentication/m-p/1285066#M348668 Jagdeep Gambhir 2009-08-21T08:28:41Z https://community.cisco.com/t5/network-access-control/windows-authentication/m-p/1285067#M348669 <HTML><HEAD></HEAD><BODY><P>I already did that, it still enters the default group (0),could it be a problem with my link to AD ?</P></BODY></HTML> Fri, 21 Aug 2009 08:42:56 GMT https://community.cisco.com/t5/network-access-control/windows-authentication/m-p/1285067#M348669 lni1 2009-08-21T08:42:56Z https://community.cisco.com/t5/network-access-control/windows-authentication/m-p/1285068#M348688 <HTML><HEAD></HEAD><BODY><P>Does that user belongs to multiple group in AD?</P></BODY></HTML> Fri, 21 Aug 2009 12:37:32 GMT https://community.cisco.com/t5/network-access-control/windows-authentication/m-p/1285068#M348688 Jagdeep Gambhir 2009-08-21T12:37:32Z https://community.cisco.com/t5/network-access-control/windows-authentication/m-p/1285069#M348709 <HTML><HEAD></HEAD><BODY><P>Yes, it belongs to multiple groups in AD, but for the moment the whole AD setup is offline, but still users enter via the group 0.</P></BODY></HTML> Wed, 26 Aug 2009 06:15:39 GMT https://community.cisco.com/t5/network-access-control/windows-authentication/m-p/1285069#M348709 lni1 2009-08-26T06:15:39Z