Access denied: fast-reconnect was successful but user was not found ...
We're implementing a NAC (framework) pilot and are experiencing clients that fail re-authentication with the following in the failed-attempts ACS 4 logging:
"Access denied: fast-reconnect was successful but user was not found in cache"
From what I see is that the first succesfull authentication is done using username "user@DOMAIN" while the re-authentication is done with just "user". Hence the "user not found in cache".
Does someone know how to correct this issue?
We're running on W2K as well as XP using CTA2.0.30 or CTA 220.127.116.11 with and without integrated supplicatant. In the case we're running CTA wihtout supplicant we're running the meethinghouse aegis secureconnect supplicant.
Authentication is based on EAP-FAST and PEAP-MSCHAPv2.
Re: Access denied: fast-reconnect was successful but user was no
These failures are related to PEAP authentication when fast reconnect is attempted but the fast reconnect session timeout has expired and the user credentials have been cleared. This should be followed by the user being prompted for username and password.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...