NAC L2 802.1X: Windows Logon Problem
Using CTA 4.0.2, ACS SE 4.x, and Windows AD the following occurs:
1. When login to WindowsXP using Local Account, then CTA prompts its login. I can then put the AD account. This process works!
2. When login to WindowsXP using AD Account, the error msg "domain xyz is not available", so the CTA prompt never come-up
3. When login to WindowsXP using "CACHED" AD Account, then CTA prompts its login. I can then put the AD account. This process works also!
4. Using Single Sign-on with "Never Validate Server", #2 and #3 occured.
Any input is very appreciated. Cisco TAC has been notified.
thanks,
Audie
703-292-5316
Hi all,
I have the exact same problem.
I have just upgraded my ACS to 4.1 but that didnt help on the problem.
You write "CTA 4.0.2"....I suppose you mean 2.0.x ?
Did you guys do anything extra on the ACS to get this to work ?
Kind regards
KDam
Similar Messages
-
PEAP Windows Logon -Machine & User Authentication -Multiple VLANS
Windows Client <==> Access Point <==> Radius <==> Windows DC/AD
Windows OS : XP Client SP 2
Supplicant : Built-in Wireless Supplicant
Authentication : 802.1x PEAP(MS-Chapv2)
Access Point : Aironet 1200
Radius : ACS 3.3
Adaptors : Built-in
CA : Microsoft
I have a single SSID and am using a RADIUS server to assign users to different VLANs. When a computer boots up, machine authentication is used and the ACS tells the access point which VLAN to be on (i.e. VLAN1 192.168.1.x). Then when the user logs on the ACS tells the access point to switch the computer to a different VLAN (i.e. VLAN2 192.168.2.x). The problem is that the windows logon scripts do not run. Once the computer finishes booting, I quickly check its IP address and it still thinks it is on 192.168.1.x (VLAN1) when it is actually on VLAN2 and needs a 192.168.2.x address. If I give the machine time, it will eventually switch its IP to the 192.168.2.x address.
Has anyone else run across this? I assume that there is no fix and that it is a Microsoft problem. Obviously, it can't do the logon script if it does not have a valid IP for its VLAN. I also never know who will be logging into the computer to put the computer in the correct VLAN ahead of time.
Note: If the machine and user are both set to use the same VLAN, the computer does not have to switch IPs and the windows logon script works fine.
Thanks
SteveHi there.
I've tried that solution, and I had a similar problem. My problem was on the DHCP server side: there was a superscope defined with the different scopes for each VLAN. When I'd the MAC Address from one machine registered at the DHCP database, the settings were always the same. Then I deleted the superscope and only defined scopes for each VLAN. It's working fine now.
Hope this helps you.
Regards,
João -
Not getting windows logon screen
HP 4530s Win 7 64 bit
Still dealing with the keyboard problems. After changing 3 keyboards, with 3 Case#'s, was told problem is probably in the software and before they would proceed I needed to return the system to the defaults (system restore from F11), disregarding my system image and if keyboard problem persists, then they will do something. I knew this was going to be a gigantic headache requiring many hours to get everthing back. Used Windows Easy Transfer to save user stuff and restore it after. Was right about many hours. After about 6 hours I have most of my stuff back, but will need several more hours to get things into correct folders etc. At present, my biggest problem is that instead of getting the Windows logon I get a HP logon that is similar in function to being in Safe Mode. It is a white screen and the cursor is large and moves jerkily. There are 2 circles in the center that appear to have a finger print in one, not sure of the other. In the upper left is a button for PASSWORD and above that Audible Alerts Disabled, F5 to Enable. Above that is the computer name. How do I get rid of this and get the Windows Logon instead?Hi Glamorgranny,
First, you may want the sidebar displayed so we can easily see connected devices:
Show Sidebar - Choose View > Show Sidebar (this feature will display iTunes features on the left side of the application including Library, Store, Shared, Genius, and Playlists).
Note: if you do not see the "View" option, turn on the menus by pressing Control-B.
iTunes 11: Frequently used features
http://support.apple.com/kb/HT5649
Afterwards, your device should be displayed if connected:
After clicking on the device on the left hand side, you should see the Summary page. You can then navigate to the different tabs:
For more information, see this resource:
iOS: Syncing with iTunes
http://support.apple.com/kb/HT1386
If your device is not displayed in the sidebar when connected, see this article:
iOS: Device not recognized in iTunes for Windows
http://support.apple.com/kb/TS1538
Thanks,
Matt M. -
NAC Framework - NAC-L2-802.1x without CSSC client?
Hi
I'm just wondering if it is possible to do NAC-L2-802.1x without the use of the CSSC client? I've managed to get this working with the CSSC client with no problems, but have been having nothing but problems trying to get this working without. This client software is pretty expensive and if it is possible to get around using it, that'd be great. Thanks for any info.
JasonYou can do 802.1x without CSSC, you cannot support remediation without it however. 802.1x by itself allows you authentication, and dynamic VLAN assignment.
-
Cisco NAC 4.8 and Windows Server 2008 Enterprise 64bit SSO
Hi,
I try to setup SSO on Cisco NAC 4.8 and Windows Server 2008 Enterprise 64bit, but I can't start Active Directory SSO Service that show error follow below. I saw this error " KDC has no support for encryption type (14)" . Could anyone help me to troubleshoot this problem?
FQDN: active.test.com
Domain Name : test.com
User : ccasso
2011-02-05 12:00:30.225 +0700 WARN com.perfigo.wlan.jmx.adsso.GSSServer
- Server was not running ...
2011-02-05 12:00:30.225 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- Server starting server ...
2011-02-05 12:00:30.225 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- Server is now running ...
2011-02-05 12:00:30.225 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - SPN : [ccasso/[email protected]]
2011-02-05 12:00:30.225 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - building kdc list for domain active.test.com
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - done building kdc list for domain active.test.com
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - KDC(s) :[10.0.240.100]
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - writeKrbFile: writing to file ../conf/krb.txt
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - writeKrbFile: wrote to file ../conf/krb.txt
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - creating login context ...
2011-02-05 12:00:40.224 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- GSSServer - created login context ...javax.security.auth.login.LoginCon
text@5ad7b2
2011-02-05 12:00:40.239 +0700 ERROR com.perfigo.wlan.jmx.adsso.GSSServer
- Unable to start server ... KDC has no support for encryption type (14)
2011-02-05 12:00:50.244 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- Notifying GSSServer status Stopped
2011-02-05 12:00:50.244 +0700 INFO com.perfigo.wlan.jmx.adsso.GSSServer
- server is exiting .Hi,
This error means that your DC does not support the encryption method the ACS wants to use.
Usually this happens when you run 2008 Server with 2003 functionality...
You will need to run ktpass.exe according to the DC you are running:
http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cas/s_adsso.html#wp1277452.
For Windows 2008 Server at 2003 Server functional level:
ktpass -princ newadsso/[adserver.][email protected] -mapuser newadsso -pass
PasswordText -out c:\newadsso.keytab -ptype KRB5_NT_PRINCIPAL
HTH,
Tiago
If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it. -
Hi, I have always been able to remote into my pc (Win 8.1) using remote desktop. Just recently this stopped working. Either I get a blank screen for about 10 seconds and then it closes or the connection closes immediately. Every time this happens I get error
4005 in the event log; Windows logon process has unexpectedly terminated. It seems the remote desktop stopped working after the last set of Windows updates were applied. But no other web searches indicates anyone else has had this problem recently. I've also
read the Windows Server document or error 4005 which suggests my registry may be corrupt or a service may be stopped but this does not seem to apply to my situation. I'm stumped and without being able to remote into my pc from my office I can't do my job.
Any suggestions would be greatly appreciated.
UPDATE: After installing a new required Windows update and a bunch of optional Windows updates (that I had been ignoring), the problem has been fixed. I'm guessing which ever Windows update broke Remote Desktop was fixed in the latest update(s).Hi arzoo1,
So you have checked the steps mentioned in the article below?
Event ID 4005 — Windows Logon Availability
You may take a try with Dism /online /cleanup-image /resorehealth command and then check if issue insists.
For Windows Update related, please consider system restore or startup repair.
Try to boot into clean boot and then remote again to check if issue insists.
Best regards
Michael Shao
TechNet Community Support -
Hello experts,
I have deployed all essential RDS roles and features on one Windows Server 2012 Virtual Machine
a few months ago and I recently ran into issues with users not being able to access it through RDP all of a sudden after entering credentials successfully.
Every time that happens I get an event ID Winlogon 4005 (The Windows logon process has unexpectedly
terminated). I am also receiving but not all the time event ID 6000 and 6003 referring to being unable to handle critical or normal events from AUinstallAgent.
Any help on this problem would be greatly appreciated.
Thank you in advance for your support.
MassimilianoHello experts,
I have deployed all essential RDS roles and features on one Windows Server 2012 Virtual Machine
a few months ago and I recently ran into issues with users not being able to access it through RDP all of a sudden after entering credentials successfully.
Every time that happens I get an event ID Winlogon 4005 (The Windows logon process has unexpectedly
terminated). I am also receiving but not all the time event ID 6000 and 6003 referring to being unable to handle critical or normal events from AUinstallAgent.
Any help on this problem would be greatly appreciated.
Thank you in advance for your support.
Massimiliano -
Win 98SE Startup Logon Problem
All our Win 98SE had the startup logon problem when we migrated to Cisco 1240AP. Previously, we don't had this problem when we are still using the SMC AP.
When we want to login to windows 2000 Domain during startup, the system will complain that it can't find a DC and we had to click ok to proceed. Once login, we can see that it can detect the AP with good signal strength. Then we need to logoff and then only we can login to the Domain without any problem.
But when we restart the system to login to the Domain again, the same problem occurs. Only when you click ok to login without network and then logoff again to login without restart the system, then the PC can find the Domain and login without problem. All our PCs are using the static IP assignment with DNS and WINS configure.
We are currently using the DLink client wireless adapter and we had try to change to Belkin client wireless adapter with more recent Win98 driver but with the same problem.
Our Window XP don't had this issue. As i had said, previously when we are using a SMC AP, we don't had this problem.
Anyone here had the same problem that had a solution ?
Thanks.
CMYipYes. The solution was to upgrade to upgrade the customer's laptops to WinXP.
(Drive mappings were also a related issue). -
Access Connections - Use Windows Logon grayed out
I have seen multiple posts on this, but no solution. I am trying to configure acconn for PEAP, but in the user credential section, the Use Windows Logon is grayed out. I have tried reinstalling and checking off the box on the install, still no luck. Lenovo had me reload the laptop to factory, but that didnt help either.
Suggestions?
RonOk, are you logged on the system as having Admin privileged? If not, then you can't change the Global Settings.
I strongly suggest not deleting registry entries. mgtitchenell mostly had it right, but instead do this:
Go into Global Options in Access Connection, uncheck it, click OK and restart, then go back in and check it, click OK and restart.
After this - the option should no longer be grayed out.
If that doesn't work, then the problem mostly likely comes from some other GINA installed on the system that Access Connections doesn't recognize. Look back at the registry entry (HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon) and look for an entry that either has the word GINA mixed up in it, or that points to some file that end in .dll
Disk encryption software and some VPN programs put in their own DLL (or things like Novell Netware client) -
X200s Fingerprint logon problems
Hi there,
I seem to have a rather strange problem on one of my X200s laptops. When you get to the welcome screen in windows XP it firstly shows the welcome screen and says please connect fingerprint sensor or Push CRTL+ Alt+ Del
On this screen it doesn't even register if you swipe your finger across the sensor.
If you push Crtl+Alt+del then it takes you to another welcome screen where you get the normal message about swiping your finger or push Ctrl+Alt+Del. If you swipe your finger here then it works fine. And if you Ctrl+Alt+del then you get the windows logon screen.
I have tried disabling the welcome screen in both the fingerprint software as well as in User settings on control panel but still no joy.
I have also ensured I have the latest fingerprint software installed as well as the latest driver for the fingerprint sensor.
Anyone got any suggestions?
Thanks in advanceReally? Nobodys even got a suggestion for this one? Really????
-
Hi
I'm trying to setup my first crack at the NAC framework, using NAC-L2-802.1x. For this, the equipment I'm using is;
Cisco 2950 switch (IOS /c2950-i6q4l2-mz.121-22.EA11.bin)
Cisco 1811 router (inter-vlan routing)
Cisco Secure ACS (90 day trial) 4.2
CTA 2.1.103
CSSC 5.1.0.39
Windows XP SP3 client machine
So I've tried to follow the Network Admission Control Framework Guide for the NAC-L2-802.1x section and all seems to have gone as laid out in the document, except when I get to the point where I actually test the config by bringing up the client port. I do the 'no shut' on the port, the light on the switch port goes amber and the CSSC client says its waiting for an ip address, it never pops up asking for credentials as shown in that document. I check the RADIUS server logs and there is no passes or fails for this host. I know RADIUS is working from this switch as I have it setup for login authentication which works just fine. I am completely stumped and the only thing I can think of is trying to install a full certificate server and going that way, instead of the Self Signed Cert which CSACS has generated and I've copied the .cer file to the client and installed it and verified it is installed with the Certificates MMC. Please, somebody provide some better reading on this matter, or some assistance. Thanks very much.
Jason
aaa new-model
aaa authentication login default group radius local
aaa authentication dot1x default group radius
aaa authorization network default group radius
aaa accounting dot1x default start-stop group radius
dot1x system-auth-control
Client port;
interface FastEthernet0/1
switchport mode access
dot1x port-control auto
dot1x timeout reauth-period server
dot1x reauthenticationYou can refer to the below URL for future reference:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/3.3/user/guide/nac.html
http://www.cisco.com/en/US/netsol/ns617/networking_solutions_sub_solution_home.html -
Reports 6i windows display problem on Windows NT system
Iam using Reports 6i on Windows NT.All the reports 6i windows are became transporent windows, displying problem (repainting problem). I did fresh installation. But iam not able to solve this.
I am using same fonts on all these plateforms.Look more closely at those fonts. They may have the same names, but the Windows 2000 versions may be larger (able to render more characters).
-
Logon Problems? Get support is not working in Portal logon Page
Hi Experts,
I have created A Role and assigned Logon_help action to it and assigned the Role to Anonymous group.
So i have Logon Problem? Get Support link on Portal Logon Screen. When i click on it, i was asked to provide userid and email id.
I have entered them. i got a message the my userid is reset and sent to my mail. but havent received any mail, and the password is changed which have to log in as admin and reset the password.
Help me this regards.
Thank you
Sivayou might not have correctly configured your mail servers....
refer below link
http://help.sap.com/saphelp_nw70/helpdata/en/89/c5fd430b63c74bbdfaa5f2ec9bb20b/content.htm
http://help.sap.com/saphelp_nw70/helpdata/en/44/0761cea5c610b3e10000000a11466f/frameset.htm -
Fingerprint reader on DV6t no longer works on windows logon
For some reason the fingerprint reader on my Pavilion Dv6t, LM720AV, does not work on windows logon anymore
I get the usual lock screen where I have to enter my password. The fingerprint option no longer appears
I have tried rebooting, powering off, reinstalling the validity sensor package sp55109 and it still does not work
Any help would be greatly appreciated
ThanksExport the Webcard Database:
If you have working SimplePass software, Export your Webcards before proceeding. In the event that you must later remove the SimplePass software, your webcard backup can be used (imported) to restore your website login information.
Start SimplePass > Settings > Export NOTE: File will be named *.tsd
Then:
Try / Consider:
===================================================================
The Hard Reset:
This method works for a variety of Driver connection and ‘stuck’ program issues.
Shut down the computer
Disconnect all external devices - everything.
Remove (disconnect / unplug) the AC power
If the notebook contains a removable Battery, remove it
Press and hold power button for at least 30 seconds
Reinstall the AC power cord for first startup ** See Note
Power on - Log in
Next time you shut down the system, reinstall the battery.
** Note: If time is short, reinstall battery the first time and be done with it.
Reference:
Hard Reset to Resolve Hardware and Software Issues
===================================================================
If that does not resolve the issue, then try this:
Repair the SImplePass Software:
Control Panel > Programs and Features >
Look for this program:
Right-Click on HP SimplePass
Select "Repair"
Restart / Reboot your computer and log in...
====================================================================
Kind Regards,
Dragon-Fur -
How to capture the Windows logon user
Hi. How I can to capture the Windows logon user for the browser.
I have a procedure on webtoolkit, and when I call the proc I pass the user of application, I need check if the net user is the same.
Thanksif you have to take the user name of the server machine it is just
System.getProperty("user.name");if you want to retrive the username from the client machine
then look at this thread
http://forum.java.sun.com/thread.jspa?threadID=766416&messageID=4370490#4370490
Maybe you are looking for
-
On doing a nice GREY with CMYK
Hi guys, I know if I need a good solid and dark black i can always use an "enriched black" let´s say C=50, M=0, Y=0, K=100 I am doing a design which i will need a strong GREY, let´s say 80% black. The problem with that something the grey does not cov
-
I just wiped my Mac OS X 10.5.8. Reinstalled everything with the original Mac OS X software discs I got with the computer in 2008. No probems and disc drive worked just fine. Updated until I reached 10.5.8. Now I am trying to update to Mac OS X Snow
-
IDoc to ABAP Server Proxy scenario
HI Experts, Recently our client has upgraded his R/3 system. From this R/3 system, IDocs are posted to SRM system thorugh XI. On receiver side we are implementing ABAP Server Proxies. We have recomended our client with all necessary changes to be don
-
IDOC_ADAPTER: ATTRIBUTE_IDOC_RUNTIME
Hello All, I have had an problem dropped on me. The consultant left prior to the BPM going live and I have not worked with BPM before. The error I an receiving is: <?xml version="1.0" encoding="UTF-8" standalone="yes" ?> - <!-- Call Adapter --
-
HTML tags not displayed when using Data Template
Hi All... I'm developing a BI Publisher report in which one of the columns is a clob data type. I'm using an xsl stylesheet to format the data present in the clob column. I've developed the report using data template as the data set. The problem is t