Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1005
Views
5
Helpful
12
Replies

Login Failure

estelamathew
Level 2
Level 2

‎11-22-2010 06:26 AM - edited ‎03-09-2019 11:16 PM

Hello,

I m not able to login in windows machine NAC is in deployed in layer 2 virtual gateway mode when the switch port is changed to auth vlan it gives me error windows machine cannot log you on domain is not available, when i change the port to access vlan the user is able to login.

The uesr machine is connecting to HP access switch and also NAC and NAM are connected to different HP Core switch and windows AD si connected to cisco switch all my configuration are correct in NAS,where i m missing.

  1. i have done the vlan mapping
  2. managed subnet
  3. static route
  4. ADSSO service is also started
  5. policies are open in unathenticated role.

Is it something i m missing.somewhere.

Labels:
0 Helpful
12 Replies 12

Tiago Antunes
Cisco Employee
Cisco Employee

‎11-23-2010 02:14 AM

Hi,

Assuming that you are doing AD SSO from your description, if the user is not able to login into the domain on the initial windows login screen, then it means the DC is not reachable.

If you add a rule to allow all traffic on the unauthneticated role, is the user able to login into the domain?

If yes, then I would double-check the traffic policies you have configured:

http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cas/s_adsso.html#wp1119307.

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

estelamathew
Level 2
Level 2
In response to Tiago Antunes

‎11-23-2010 02:48 AM

Hello Tiago,

I have opened each and every protocol still it says the domain not available but when i change to trusted Access vlan the user is able to login.

In untrusted vlan the user is not able to login.

Thanks,

0 Helpful

Tiago Antunes
Cisco Employee
Cisco Employee
In response to estelamathew

‎11-23-2010 03:01 AM

That means for sure that the traffic is not leaving the Clean Access Server.

Either it is being blocked or the VLAN mapping is wrong...

Have you tied the rule "Allow All" ?

Can you show us the VLAN mapping, Managed Subnets, and what is the IP address client is getting?

HTH,
Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

0 Helpful

estelamathew
Level 2
Level 2
In response to Tiago Antunes

‎11-23-2010 03:27 AM

Hello Tigos,

Here is the attached,

Can u confirm my other thread of Requirements what i have configured is correct or not???

75787-NAC SCREEN.rar.zip
0 Helpful

Tiago Antunes
Cisco Employee
Cisco Employee
In response to estelamathew

‎11-23-2010 05:37 AM

Hi ,

I do not see the Allow All rule i asked you to configure for testing purposes...

Can you please try it?

And what is the IP address the client PC is getting?

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

0 Helpful

estelamathew
Level 2
Level 2
In response to Tiago Antunes

‎11-23-2010 06:27 AM

Hello Tiagos,

I have put the static IP on that PC and open all means ???  I have shown the scren shots 5 all is open in unathenticate role in manager and server.

0 Helpful

Eduardo Aliaga
Level 4
Level 4
In response to estelamathew

‎11-23-2010 11:02 AM

Please temporarily configure your unauthenticated "traffic rules" to permit all IP traffic and set " Trusted" field to "*:*". That's to test if the login failure is due to traffic rules or not.

Also, are you using DHCP for your PCs? What's your default gateway? It would be very useful to see a network diagram.

You mentioned you're using VG. But are using OOB or inband ? Please notice that OOB doesn't support HP switches. It only supports Cisco

0 Helpful

estelamathew
Level 2
Level 2
In response to Eduardo Aliaga

‎11-24-2010 10:23 AM

Hello,

Do i have to allow WINDOWS AD access vlan's on trusted interface of CAS??????

Also, are you using DHCP for your PCs? What's your default gateway? It  would be very useful to see a network diagram.

i have put the static IP on workstation, DF is the int vlan on core.

You mentioned you're using VG. But are using OOB or inband ? Please  notice that OOB doesn't support HP switches. It only supports Cisco

I m using INBAND Virtual Gateway.

Thanks

0 Helpful

Tiago Antunes
Cisco Employee
Cisco Employee
In response to estelamathew

‎11-28-2010 12:45 AM

Hi,

You need to allow the traffic on both directions.

If your PC cannot even login into the domain, then it is for sure something blocking the traffic.

That is why we advised to "allow all" on the unauthneticcated role, to make sure it is/isn't the CAS that is blocking the traffic needed for AD login.

HTH,

Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

0 Helpful

estelamathew
Level 2
Level 2
In response to Tiago Antunes

‎11-28-2010 11:25 AM

Hello Tiagos,

Attached is the screen shot for allow all traffic.I have applied allow all traffic in CCA server>filter>roles>traffic control and also in NAM manager in user roles> traffic control>IP.

Please correct me where i m missing . This issue is pending dear's,Waiting for replies.

Thanks

188 KB
0 Helpful

estelamathew
Level 2
Level 2
In response to estelamathew

‎11-28-2010 10:40 PM

Hello Dears,

I have captured logs from testing PC to wireshark PC,

Attached are the logs from wireshark, trying to login by testing  PC which is in unauthenticate vlan and wireshark pc is also in same vlan capturing packets on same switch both are give static ip with same subnet and still testing pc is not able to login it is giving an error computer cannot log you on because domain XXX is not available.

I can see traffic hitting to DC but no reply from DC to testing PC

  1. Testing PC is 10.75.116.141
  2. Wireshark PC is 10.75.116.160
  3. Primary Domain Controller is 10.75.7.130
  4. Secondary Domain Controller is 10.75.7.140

Thanks.

.

76030-Test.pcap.zip
0 Helpful

Tiago Antunes
Cisco Employee
Cisco Employee
In response to estelamathew

‎11-29-2010 03:23 AM

Hi,

I would then check on the DC why it is not replying...

HTH,
Tiago

--

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

0 Helpful
Customers Also Viewed These Support Documents