NAC L2 802.1X: Windows Logon Problem

Using CTA 4.0.2, ACS SE 4.x, and Windows AD the following occurs:
1. When login to WindowsXP using Local Account, then CTA prompts its login. I can then put the AD account. This process works!
2. When login to WindowsXP using AD Account, the error msg "domain xyz is not available", so the CTA prompt never come-up
3. When login to WindowsXP using "CACHED" AD Account, then CTA prompts its login. I can then put the AD account. This process works also!
4. Using Single Sign-on with "Never Validate Server", #2 and #3 occured.
Any input is very appreciated. Cisco TAC has been notified.
thanks,
Audie
703-292-5316

Hi all,
I have the exact same problem.
I have just upgraded my ACS to 4.1 but that didnt help on the problem.
You write "CTA 4.0.2"....I suppose you mean 2.0.x ?
Did you guys do anything extra on the ACS to get this to work ?
Kind regards
KDam

Similar Messages

  • PEAP Windows Logon -Machine & User Authentication -Multiple VLANS

    Windows Client <==> Access Point <==> Radius <==> Windows DC/AD
    Windows OS : XP Client SP 2
    Supplicant : Built-in Wireless Supplicant
    Authentication : 802.1x PEAP(MS-Chapv2)
    Access Point : Aironet 1200
    Radius : ACS 3.3
    Adaptors : Built-in
    CA : Microsoft
    I have a single SSID and am using a RADIUS server to assign users to different VLANs. When a computer boots up, machine authentication is used and the ACS tells the access point which VLAN to be on (i.e. VLAN1 192.168.1.x). Then when the user logs on the ACS tells the access point to switch the computer to a different VLAN (i.e. VLAN2 192.168.2.x). The problem is that the windows logon scripts do not run. Once the computer finishes booting, I quickly check its IP address and it still thinks it is on 192.168.1.x (VLAN1) when it is actually on VLAN2 and needs a 192.168.2.x address. If I give the machine time, it will eventually switch its IP to the 192.168.2.x address.
    Has anyone else run across this? I assume that there is no fix and that it is a Microsoft problem. Obviously, it can't do the logon script if it does not have a valid IP for its VLAN. I also never know who will be logging into the computer to put the computer in the correct VLAN ahead of time.
    Note: If the machine and user are both set to use the same VLAN, the computer does not have to switch IPs and the windows logon script works fine.
    Thanks
    Steve

    Hi there.
    I've tried that solution, and I had a similar problem. My problem was on the DHCP server side: there was a superscope defined with the different scopes for each VLAN. When I'd the MAC Address from one machine registered at the DHCP database, the settings were always the same. Then I deleted the superscope and only defined scopes for each VLAN. It's working fine now.
    Hope this helps you.
    Regards,
    João

  • Not getting windows logon screen

    HP 4530s Win 7 64 bit
    Still dealing with the keyboard problems. After changing 3 keyboards, with 3 Case#'s, was told problem is probably in the software and before they would proceed I needed to return the system to the defaults (system restore from F11), disregarding my system image and if keyboard problem persists, then they will do something. I knew this was going to be a gigantic headache requiring many hours to get everthing back. Used Windows Easy Transfer to save user stuff and restore it after. Was right about many hours. After about 6 hours I have most of my stuff back, but will need several more hours to get things into correct folders etc. At present, my biggest problem is that instead of getting the Windows logon I get a HP logon that is similar in function to being in Safe Mode. It is a white screen and the cursor is large and moves jerkily. There are 2 circles in the center that appear to have a finger print in one, not sure of the other. In the upper left is a button for PASSWORD and above that Audible Alerts Disabled, F5 to Enable. Above that is the computer name. How do I get rid of this and get the Windows Logon instead? 

    Hi Glamorgranny,
    First, you may want the sidebar displayed so we can easily see connected devices:
    Show Sidebar - Choose View > Show Sidebar (this feature will display iTunes features on the left side of the application including Library, Store, Shared, Genius, and Playlists).
    Note: if you do not see the "View" option, turn on the menus by pressing Control-B.
    iTunes 11: Frequently used features
    http://support.apple.com/kb/HT5649
    Afterwards, your device should be displayed if connected:
    After clicking on the device on the left hand side, you should see the Summary page. You can then navigate to the different tabs:
    For more information, see this resource:
    iOS: Syncing with iTunes
    http://support.apple.com/kb/HT1386
    If your device is not displayed in the sidebar when connected, see this article:
    iOS: Device not recognized in iTunes for Windows
    http://support.apple.com/kb/TS1538
    Thanks,
    Matt M.

  • NAC Framework - NAC-L2-802.1x without CSSC client?

    Hi
    I'm just wondering if it is possible to do NAC-L2-802.1x without the use of the CSSC client? I've managed to get this working with the CSSC client with no problems, but have been having nothing but problems trying to get this working without. This client software is pretty expensive and if it is possible to get around using it, that'd be great. Thanks for any info.
    Jason

    You can do 802.1x without CSSC, you cannot support remediation without it however. 802.1x by itself allows you authentication, and dynamic VLAN assignment.

  • Cisco NAC 4.8 and Windows Server 2008 Enterprise 64bit SSO

    Hi,
         I try to setup SSO on Cisco NAC 4.8 and Windows Server 2008 Enterprise 64bit, but I can't start Active Directory SSO Service that show error follow below. I saw this error " KDC has no support for encryption type (14)" . Could anyone help me to troubleshoot this problem?
    FQDN: active.test.com
    Domain Name : test.com
    User : ccasso
    2011-02-05 12:00:30.225 +0700 WARN  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - Server was not running ...
    2011-02-05 12:00:30.225 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - Server starting server ...
    2011-02-05 12:00:30.225 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - Server is now running ...
    2011-02-05 12:00:30.225 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - GSSServer - SPN : [ccasso/[email protected]]
    2011-02-05 12:00:30.225 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - GSSServer - building kdc list for domain active.test.com
    2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - GSSServer - done building kdc list for domain active.test.com
    2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - GSSServer - KDC(s) :[10.0.240.100]
    2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - GSSServer - writeKrbFile: writing to file ../conf/krb.txt
    2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - GSSServer - writeKrbFile: wrote to file ../conf/krb.txt
    2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - GSSServer - creating login context ...
    2011-02-05 12:00:40.224 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - GSSServer - created login context ...javax.security.auth.login.LoginCon                                                                           
    text@5ad7b2
    2011-02-05 12:00:40.239 +0700 ERROR com.perfigo.wlan.jmx.adsso.GSSServer                                                                                           
    - Unable to start server ... KDC has no support for encryption type (14)
    2011-02-05 12:00:50.244 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - Notifying GSSServer status Stopped
    2011-02-05 12:00:50.244 +0700 INFO  com.perfigo.wlan.jmx.adsso.GSSServer                                                                                          
    - server is exiting .

    Hi,
    This error means that your DC does not support the encryption method the ACS wants to use.
    Usually this happens when you run 2008 Server with 2003 functionality...
    You will need to run ktpass.exe according to the DC you are running:
    http://www.cisco.com/en/US/docs/security/nac/appliance/configuration_guide/48/cas/s_adsso.html#wp1277452.
    For Windows 2008 Server at 2003 Server functional level:
    ktpass -princ newadsso/[adserver.][email protected] -mapuser newadsso -pass
    PasswordText -out c:\newadsso.keytab -ptype KRB5_NT_PRINCIPAL
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • Remote Desktop disconnects immediately. Error 4005; Windows logon process has unexpectedly terminated.

    Hi, I have always been able to remote into my pc (Win 8.1) using remote desktop. Just recently this stopped working. Either I get a blank screen for about 10 seconds and then it closes or the connection closes immediately. Every time this happens I get error
    4005 in the event log; Windows logon process has unexpectedly terminated. It seems the remote desktop stopped working after the last set of Windows updates were applied. But no other web searches indicates anyone else has had this problem recently. I've also
    read the Windows Server document or error 4005 which suggests my registry may be corrupt or a service may be stopped but this does not seem to apply to my situation. I'm stumped and without being able to remote into my pc from my office I can't do my job.
    Any suggestions would be greatly appreciated.
    UPDATE: After installing a new required Windows update and a bunch of optional Windows updates (that I had been ignoring), the problem has been fixed. I'm guessing which ever Windows update broke Remote Desktop was fixed in the latest update(s).

    Hi arzoo1,
    So you have checked the steps mentioned in the article below?
    Event ID 4005 — Windows Logon Availability
    You may take a try with Dism /online /cleanup-image /resorehealth command and then check if issue insists.
    For Windows Update related, please consider system restore or startup repair.
    Try to boot into clean boot and then remote again to check if issue insists.
    Best regards
    Michael Shao
    TechNet Community Support

  • Microsoft // Winlogon 4005 (The Windows logon process has unexpectedly terminated) on one Windows Server 2012 VM with working RDS roles installed

    Hello experts,
    I have deployed all essential RDS roles and features on one Windows Server 2012 Virtual Machine
    a few months ago and I recently ran into issues with users not being able to access it through RDP all of a sudden after entering credentials successfully.
    Every time that happens I get an event ID Winlogon 4005 (The Windows logon process has unexpectedly
    terminated). I am also receiving but not all the time event ID 6000 and 6003 referring to being unable to handle critical or normal events from AUinstallAgent.
    Any help on this problem would be greatly appreciated.
    Thank you in advance for your support.
    Massimiliano

    Hello experts,
    I have deployed all essential RDS roles and features on one Windows Server 2012 Virtual Machine
    a few months ago and I recently ran into issues with users not being able to access it through RDP all of a sudden after entering credentials successfully.
    Every time that happens I get an event ID Winlogon 4005 (The Windows logon process has unexpectedly
    terminated). I am also receiving but not all the time event ID 6000 and 6003 referring to being unable to handle critical or normal events from AUinstallAgent.
    Any help on this problem would be greatly appreciated.
    Thank you in advance for your support.
    Massimiliano

  • Win 98SE Startup Logon Problem

    All our Win 98SE had the startup logon problem when we migrated to Cisco 1240AP. Previously, we don't had this problem when we are still using the SMC AP.
    When we want to login to windows 2000 Domain during startup, the system will complain that it can't find a DC and we had to click ok to proceed. Once login, we can see that it can detect the AP with good signal strength. Then we need to logoff and then only we can login to the Domain without any problem.
    But when we restart the system to login to the Domain again, the same problem occurs. Only when you click ok to login without network and then logoff again to login without restart the system, then the PC can find the Domain and login without problem. All our PCs are using the static IP assignment with DNS and WINS configure.
    We are currently using the DLink client wireless adapter and we had try to change to Belkin client wireless adapter with more recent Win98 driver but with the same problem.
    Our Window XP don't had this issue. As i had said, previously when we are using a SMC AP, we don't had this problem.
    Anyone here had the same problem that had a solution ?
    Thanks.
    CMYip

    Yes. The solution was to upgrade to upgrade the customer's laptops to WinXP.
    (Drive mappings were also a related issue).

  • Access Connections - Use Windows Logon grayed out

    I have seen multiple posts on this, but no solution. I am trying to configure acconn for PEAP, but in the user credential section, the Use Windows Logon is grayed out. I have tried reinstalling and checking off the box on the install, still no luck. Lenovo had me reload the laptop to factory, but that didnt help either.
    Suggestions?
    Ron

    Ok, are you logged on the system as having Admin privileged?  If not, then you can't change the Global Settings.
    I strongly suggest not deleting registry entries.  mgtitchenell mostly had it right, but instead do this:
    Go into Global Options in Access Connection, uncheck it, click OK and restart, then go back in and check it, click OK and restart.
    After this - the option should no longer be grayed out.
    If that doesn't work, then the problem mostly likely comes from some other GINA installed on the system that Access Connections doesn't recognize.   Look back at the registry entry (HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon) and look for an entry that either has the word GINA mixed up in it, or that points to some file that end in .dll
    Disk encryption software and some VPN programs put in their own DLL (or things like Novell Netware client)

  • X200s Fingerprint logon problems

    Hi there,
    I seem to have a rather strange problem on one of my X200s laptops. When you get to the welcome screen in windows XP it firstly shows the welcome screen and says please connect fingerprint sensor or Push CRTL+ Alt+ Del
    On this screen it doesn't even register if you swipe your finger across the sensor.
    If you push Crtl+Alt+del then it takes you to another welcome screen where you get the normal message about swiping your finger or push Ctrl+Alt+Del. If you swipe your finger here then it works fine. And if you Ctrl+Alt+del then you get the windows logon screen.
    I have tried disabling the welcome screen in both the fingerprint software as well as in User settings on control panel but still no joy.
    I have also ensured I have the latest fingerprint software installed as well as the latest driver for the fingerprint sensor.
    Anyone got any suggestions?
    Thanks in advance

    Really? Nobodys even got a suggestion for this one? Really????

  • NAC framework NAC-L2-802.1x, CTA 2.1, CSSC, ACS 4.2 not working???

    Hi
    I'm trying to setup my first crack at the NAC framework, using NAC-L2-802.1x. For this, the equipment I'm using is;
    Cisco 2950 switch (IOS /c2950-i6q4l2-mz.121-22.EA11.bin)
    Cisco 1811 router (inter-vlan routing)
    Cisco Secure ACS (90 day trial) 4.2
    CTA 2.1.103
    CSSC 5.1.0.39
    Windows XP SP3 client machine
    So I've tried to follow the Network Admission Control Framework Guide for the NAC-L2-802.1x section and all seems to have gone as laid out in the document, except when I get to the point where I actually test the config by bringing up the client port. I do the 'no shut' on the port, the light on the switch port goes amber and the CSSC client says its waiting for an ip address, it never pops up asking for credentials as shown in that document. I check the RADIUS server logs and there is no passes or fails for this host. I know RADIUS is working from this switch as I have it setup for login authentication which works just fine. I am completely stumped and the only thing I can think of is trying to install a full certificate server and going that way, instead of the Self Signed Cert which CSACS has generated and I've copied the .cer file to the client and installed it and verified it is installed with the Certificates MMC. Please, somebody provide some better reading on this matter, or some assistance. Thanks very much.
    Jason
    aaa new-model
    aaa authentication login default group radius local
    aaa authentication dot1x default group radius
    aaa authorization network default group radius
    aaa accounting dot1x default start-stop group radius
    dot1x system-auth-control
    Client port;
    interface FastEthernet0/1
    switchport mode access
    dot1x port-control auto
    dot1x timeout reauth-period server
    dot1x reauthentication

    You can refer to the below URL for future reference:
    http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/3.3/user/guide/nac.html
    http://www.cisco.com/en/US/netsol/ns617/networking_solutions_sub_solution_home.html

  • Reports 6i windows display problem on Windows NT system

    Iam using Reports 6i on Windows NT.All the reports 6i windows are became transporent windows, displying problem (repainting problem). I did fresh installation. But iam not able to solve this.

    I am using same fonts on all these plateforms.Look more closely at those fonts. They may have the same names, but the Windows 2000 versions may be larger (able to render more characters).

  • Logon Problems? Get support is not working in Portal logon Page

    Hi Experts,
    I have created A Role and assigned Logon_help action to it and assigned the Role to Anonymous group.
    So i have Logon Problem? Get Support link on Portal Logon Screen. When i click on it, i was asked to provide userid and email id.
    I have entered them. i got a message the my userid is reset and sent to my mail. but havent received any mail, and the password is changed which have to log in as admin and reset the password. 
    Help me this regards.
    Thank you
    Siva

    you might not have correctly configured your mail servers....
    refer below link
    http://help.sap.com/saphelp_nw70/helpdata/en/89/c5fd430b63c74bbdfaa5f2ec9bb20b/content.htm
    http://help.sap.com/saphelp_nw70/helpdata/en/44/0761cea5c610b3e10000000a11466f/frameset.htm

  • Fingerprint reader on DV6t no longer works on windows logon

    For some reason the fingerprint reader on my Pavilion Dv6t, LM720AV, does not work on windows logon anymore
    I get the usual lock screen where I have to enter my password.  The fingerprint option no longer appears
    I have tried rebooting, powering off, reinstalling the validity sensor package sp55109 and it still does not work
    Any help would be greatly appreciated
    Thanks

    Export the Webcard Database:
    If you have working SimplePass software, Export your Webcards before proceeding.  In the event that you must later remove the SimplePass software, your webcard backup can be used (imported) to restore your website login information.
    Start SimplePass > Settings > Export     NOTE:  File will be named *.tsd
    Then:
    Try / Consider:
    ===================================================================
    The Hard Reset:
    This method works for a variety of Driver connection and ‘stuck’ program issues.
    Shut down the computer
    Disconnect all external devices - everything.
    Remove (disconnect / unplug) the AC power
    If the notebook contains a removable Battery, remove it
    Press and hold power button for at least 30 seconds
    Reinstall the AC power cord for first startup ** See Note
    Power on - Log in
    Next time you shut down the system, reinstall the battery.
    ** Note:  If time is short, reinstall battery the first time and be done with it.
    Reference:
    Hard Reset to Resolve Hardware and Software Issues
    ===================================================================
     If that does not resolve the issue, then try this:
    Repair the SImplePass Software:
    Control Panel > Programs and Features >
    Look for this program:
    Right-Click on HP SimplePass
    Select "Repair"
    Restart / Reboot your computer and log in...
    ====================================================================
    Kind Regards,
    Dragon-Fur

  • How to capture the Windows logon user

    Hi. How I can to capture the Windows logon user for the browser.
    I have a procedure on webtoolkit, and when I call the proc I pass the user of application, I need check if the net user is the same.
    Thanks

    if you have to take the user name of the server machine it is just
    System.getProperty("user.name");if you want to retrive the username from the client machine
    then look at this thread
    http://forum.java.sun.com/thread.jspa?threadID=766416&messageID=4370490#4370490

Maybe you are looking for

  • On doing a nice GREY with CMYK

    Hi guys, I know if I need a good solid and dark black i can always use an "enriched black" let´s say C=50, M=0, Y=0, K=100 I am doing a design which i will need a strong GREY, let´s say 80% black. The problem with that something the grey does not cov

  • Currently have Mac OS X 10.5.8. But my disc drive won't read 10.6.3 Snow Leopard dvd.

    I just wiped my Mac OS X 10.5.8. Reinstalled everything with the original Mac OS X software discs I got with the computer in 2008. No probems and disc drive worked just fine. Updated until I reached 10.5.8. Now I am trying to update to Mac OS X Snow

  • IDoc to ABAP Server Proxy scenario

    HI Experts, Recently our client has upgraded his R/3 system. From this R/3 system, IDocs are posted to SRM system thorugh XI. On receiver side we are implementing ABAP Server Proxies. We have recomended our client with all necessary changes to be don

  • IDOC_ADAPTER: ATTRIBUTE_IDOC_RUNTIME

    Hello All, I have had an problem dropped on me.  The consultant left prior to the BPM going live and I have not worked with BPM before.  The error I an receiving is:   <?xml version="1.0" encoding="UTF-8" standalone="yes" ?> - <!--  Call Adapter   --

  • HTML tags not displayed when using Data Template

    Hi All... I'm developing a BI Publisher report in which one of the columns is a clob data type. I'm using an xsl stylesheet to format the data present in the clob column. I've developed the report using data template as the data set. The problem is t