This issue is generally seens when there are multiple domains.
IN order to isolate this issue, view the logs for CSWinAgent under C:\Program Files\Cisco\CiscoSecure ACS Agent\CSWinAgent\Logs>.
If these logs are seen under CSWinAgent logs, then it is a Microsoft Windows issue:
CSWinAgent 04/18/2007 18:05:10 A 0048 4736 NTLIB: Attempting Windows authentication for user CSWinAgent 04/18/2007 18:05:10 A 0048 4736 NTLIB: Windows authentication SUCCESSFUL (by SPKFP) CSWinAgent 04/18/2007 18:05:10 A 0048 4736 NTLIB: Obtaining RAS information for user from SPKFP CSWinAgent 04/18/2007 18:05:13 A 0048 4736 NTLIB: MprAdminUserGetInfo returned error 0x6ba
ACS cannot resolve the RAS information for other domain and hence return the MprAdminUserGetInfo returned error 0x6ba error message failed to get RAS information for user from SPKFP, where SPKFP is the Domain controller (DC) of the user who tries to authenticate.
Note: This issue occurs on both the ACS appliance and the ACS for Windows. In the case of ACS for Windows, this error can be checked in Auth.log. In case of the ACS appliance, this error can be checked on the CSWinAgent Remote agent logs.
In order to resolve this issue, add the DNS suffixes to the Ethernet controller with these steps:
Choose Network Connections from the control panel.
Right-click the local area connection.
Double-click the TCP/IP option.
Choose Advanced at the bottom.
Click on DNS at the top.
Choose Append these DNS suffixes.
Add the FQDN for each domain that ACS authenticates against in the field.
Try the authenticate again, and it should work now.
Hello, Our SSL Certificate on the admin portal has expired and will not allow us to log on. The cert was issued by our local CA via a CSR from the ISE instance. I do have access to the CLI. I'm not given the opportunity to logon, I get an SSL error f...
We are rebuilding our ISE environment and moving from version 2.3 patch 6 to version 2.7 patch 2. I am at the phase where I am now configuring the guest hotspot portal. I am using the portal customization page rather than the ISE Portal Builde...
Hello, we are doing PEAP machine only for wired 802.1x, (Policy is set up so if a PC has the cert and is in the AD group it passes) so wondering why we are getting these user auth attempts and so then the switch shows dot1x failed even though the machine ...