Core issue
This issue is generally seens when there are multiple domains.
IN order to isolate this issue, view the logs for CSWinAgent under C:\Program Files\Cisco\CiscoSecure ACS Agent\CSWinAgent\Logs>.
If these logs are seen under CSWinAgent logs, then it is a Microsoft Windows issue:
CSWinAgent 04/18/2007 18:05:10 A 0048 4736 NTLIB: Attempting Windows authentication for user
CSWinAgent 04/18/2007 18:05:10 A 0048 4736 NTLIB: Windows authentication SUCCESSFUL (by SPKFP)
CSWinAgent 04/18/2007 18:05:10 A 0048 4736 NTLIB: Obtaining RAS information for user from SPKFP
CSWinAgent 04/18/2007 18:05:13 A 0048 4736 NTLIB: MprAdminUserGetInfo returned error 0x6ba
ACS cannot resolve the RAS information for other domain and hence return the MprAdminUserGetInfo returned error 0x6ba error message failed to get RAS information for user from SPKFP, where SPKFP is the Domain controller (DC) of the user who tries to authenticate.
Note: This issue occurs on both the ACS appliance and the ACS for Windows. In the case of ACS for Windows, this error can be checked in Auth.log. In case of the ACS appliance, this error can be checked on the CSWinAgent Remote agent logs.
Resolution
In order to resolve this issue, add the DNS suffixes to the Ethernet controller with these steps:
- Choose Network Connections from the control panel.
- Right-click the local area connection.
- Choose Properties.
- Double-click the TCP/IP option.
- Choose Advanced at the bottom.
- Click on DNS at the top.
- Choose Append these DNS suffixes.
- Add the FQDN for each domain that ACS authenticates against in the field.
- Try the authenticate again, and it should work now.