Showing results for 
Search instead for 
Did you mean: 

Unable to authenticate wireless users who use EAP against Microsoft Windows Active directory database with Cisco Secure ACS, and the "External DB account Restriction" error message appears in logs


Core issue

This issue is generally seens when there are multiple domains.

IN order to isolate this issue, view the logs for CSWinAgent under C:\Program Files\Cisco\CiscoSecure ACS Agent\CSWinAgent\Logs>.

If these logs are seen under CSWinAgent logs, then it is a Microsoft Windows issue:

CSWinAgent 04/18/2007 18:05:10 A 0048 4736 NTLIB: Attempting Windows authentication for user
CSWinAgent 04/18/2007 18:05:10 A 0048 4736 NTLIB: Windows authentication SUCCESSFUL (by SPKFP)
CSWinAgent 04/18/2007 18:05:10 A 0048 4736 NTLIB: Obtaining RAS information for user from SPKFP
CSWinAgent 04/18/2007 18:05:13 A 0048 4736 NTLIB: MprAdminUserGetInfo returned error 0x6ba

ACS cannot resolve the RAS information for other domain and hence return the MprAdminUserGetInfo returned error 0x6ba error message failed to get RAS information for user from SPKFP, where SPKFP is the Domain controller (DC) of the user who tries to authenticate.

Note: This issue occurs on both the ACS appliance and the ACS for Windows. In the case of ACS for Windows, this error can be checked in Auth.log. In case of the ACS appliance, this error can be checked on the CSWinAgent Remote agent logs.


In order to resolve this issue, add the DNS suffixes to the Ethernet controller with these steps:

  1. Choose Network Connections from the control panel.

  2. Right-click the local area connection.

  3. Choose Properties.

  4. Double-click the TCP/IP option.

  5. Choose Advanced at the bottom.

  6. Click on DNS at the top.

  7. Choose Append these DNS suffixes.

  8. Add the FQDN for each domain that ACS authenticates against in the field.

  9. Try the authenticate again, and it should work now.
Recognize Your Peers
Content for Community-Ad