ACS authentication issue

Unanswered Question
May 6th, 2008
User Badges:

I have configured Cisco ACS v4.1 to control network accessing. When a domain user logon, it takes a few seconds to logon using credentials. However, it takes around 1 minute to get the authentication successfully. The problem is the computer can't talk to the DHCP and DC when logon. The network status shows Limits or not connectivity. The ipconfig shows it uses auto ip address 169.254.x.x. To obtain an IP or talk to the DC, the user needs to enter ipconfig /renew or re-logon. How do you troubleshoot it?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jagdeep Gambhir Wed, 05/07/2008 - 06:13
User Badges:
  • Red, 2250 points or more

Do you have machine authentication configured ? If not then you need to set it up.

The main purpose of Machine Authentication is to actually log you into the domain as if you were connected via a wired connection. It allows you to have startup scripts run and drive mappings occur.

Machine authentication--ACS authenticates the computer prior to user authentication. ACS checks the credentials that the computer provides against the Windows user database. If you use Active Directory and the matching computer account in Active Directory has the same credentials, the computer gains access to Windows domain services."



Do rate helpful posts

chicagotech Wed, 05/07/2008 - 09:53
User Badges:

Thank you for the reply.

Yes, I do have the machine authentication. Remember if re-logon or renew ip, it works. The ACS log shows the authentication is successful.

Also I am using wired not wireless. Any other suggestions?

chicagotech Wed, 05/07/2008 - 12:01
User Badges:

Thank you for the link. I think the problem is it takes too longer to get the authentication (over 1 minute). For example, the computer has logon using credentials, the port led is still orange. I also find if we don't re-logon or renew the IP, the computer will receive a good IP automatically in 5 minutes. The problem is the user doesn't have mapping because it doesn't run logon script from the DC.


This Discussion