This issue is generally seens when there are multiple domains.
IN order to isolate this issue, view the logs for CSWinAgent under C:\Program Files\Cisco\CiscoSecure ACS Agent\CSWinAgent\Logs>.
If these logs are seen under CSWinAgent logs, then it is a Microsoft Windows issue:
CSWinAgent 04/18/2007 18:05:10 A 0048 4736 NTLIB: Attempting Windows authentication for user CSWinAgent 04/18/2007 18:05:10 A 0048 4736 NTLIB: Windows authentication SUCCESSFUL (by SPKFP) CSWinAgent 04/18/2007 18:05:10 A 0048 4736 NTLIB: Obtaining RAS information for user from SPKFP CSWinAgent 04/18/2007 18:05:13 A 0048 4736 NTLIB: MprAdminUserGetInfo returned error 0x6ba
ACS cannot resolve the RAS information for other domain and hence return the MprAdminUserGetInfo returned error 0x6ba error message failed to get RAS information for user from SPKFP, where SPKFP is the Domain controller (DC) of the user who tries to authenticate.
Note: This issue occurs on both the ACS appliance and the ACS for Windows. In the case of ACS for Windows, this error can be checked in Auth.log. In case of the ACS appliance, this error can be checked on the CSWinAgent Remote agent logs.
In order to resolve this issue, add the DNS suffixes to the Ethernet controller with these steps:
Choose Network Connections from the control panel.
Right-click the local area connection.
Double-click the TCP/IP option.
Choose Advanced at the bottom.
Click on DNS at the top.
Choose Append these DNS suffixes.
Add the FQDN for each domain that ACS authenticates against in the field.
Try the authenticate again, and it should work now.
Hi, I am looking for additional clarification on the error code 3221225506 Access Denied given when AMP detects a file during a scan but can't quarantine it. For example, the files were detected in other Drives like E: F: G: Tha...
Hi,I am in a challenging situation where I need to utilize the 2 interfaces belonging to same network /same vlan. I fully understand that Firepower is not designed for switching purposes but still taking the opportunity to ask here if there is a way ...
Firei,I am trying to activate /license the FP1200 series running ASA software as:1. Go to software.cisco.com and log into your Smart Account.2. Under the Padlock icon, click Smart Software Licensing.3. Go to the Inventory Tab -> General Click the New T...
Hi, How can TC-NAC be configured to scan AnyConnect Endpoints as they join VPN? I'm not getting an internal IP address for the endpoint in the RADIUS Live Logs (only the public IP). I've got TC-NAC scans working on wireless endpoints as t...
We have AnyConnect set up with Certificate validation. When we have the option unchecked (disabled) "Consider the certificate valid if revocation information can not be reached" (forcing the CRL check) our clients are unable to connect and the FMC VPN tro...