https://community.cisco.com/t5/network-access-control/cisco-5-3-cluster-domain-notation-only-required-when-using/m-p/1924263#M192462 <P>Overview:&nbsp; Cisco 5.3 cluster, with primary server and secondary servers at separate datacenters.&nbsp;&nbsp; For remote vpn authentication through Cisco ASA, using radius authentication and Active Directory security groups.</P><P></P><P>The primary and secondary ACS servers are members (connected) to the root domain of our AD forest.</P><P></P><P>Issue:&nbsp; During testing, I am experiencing different results as it relates to the use of the requirement of domain notation during login.&nbsp; When testing against the primary acs server, I am able to pass authentication for users in the root domain and child domains with or without domain notation.&nbsp; When testing against the secondary ACS server, domain notation is required for child domains.</P><P></P><P> Since each server is running the same version, 5.3.0.40, and are connected to the same domain, which happens to the be the root domain of the forest, I would expect the same results from testing.&nbsp; I did confirm that they are synchronized properly.</P><P></P><P>Example:&nbsp; </P><P> - The forest name and root domain is&nbsp; X and the acs servers are members of x.</P><P> - Child domains are y and z</P><P></P><P>When I test authentication against the primary, I can login with a user from x,y, or z using domain notation (domain\username)&nbsp; or without domain notation (username)</P><P></P><P>When I test against the secondary ACS server, I can login using domain notation for x,y,z.&nbsp; But when I test with domain notation, it only works when the user is from the root domain X.&nbsp; So users from y and z must use domain notation.</P><P></P><P>The logs show the error as:</P><P><A href="https://10.12.2.34/avreports/servlet/GenericRedirector?command=submit&amp;__requesttype=immediate&amp;invokeSubmit=true&amp;__executableName=%2Fhome%2Facsadmin%2FFailure_Reason%2FAuthentication_Failure_Code_Lookup.rptdesign&amp;rptFailureReason=22056+Subject+not+found+in+the+applicable+identity+store%28s%29.&amp;__locale=en_US&amp;iportalID=TKNENRBYE&amp;__masterpage=false&amp;__newWindow=false" style="color: #ff0000; margin-top: 0pt;" target="_self" title="Click for failure reason details">22056 Subject not found in the applicable identity store(s)</A></P> Mon, 11 Mar 2019 01:59:11 GMT tcroziercisco 2019-03-11T01:59:11Z https://community.cisco.com/t5/network-access-control/cisco-5-3-cluster-domain-notation-only-required-when-using/m-p/1924263#M192462 <P>Overview:&nbsp; Cisco 5.3 cluster, with primary server and secondary servers at separate datacenters.&nbsp;&nbsp; For remote vpn authentication through Cisco ASA, using radius authentication and Active Directory security groups.</P><P></P><P>The primary and secondary ACS servers are members (connected) to the root domain of our AD forest.</P><P></P><P>Issue:&nbsp; During testing, I am experiencing different results as it relates to the use of the requirement of domain notation during login.&nbsp; When testing against the primary acs server, I am able to pass authentication for users in the root domain and child domains with or without domain notation.&nbsp; When testing against the secondary ACS server, domain notation is required for child domains.</P><P></P><P> Since each server is running the same version, 5.3.0.40, and are connected to the same domain, which happens to the be the root domain of the forest, I would expect the same results from testing.&nbsp; I did confirm that they are synchronized properly.</P><P></P><P>Example:&nbsp; </P><P> - The forest name and root domain is&nbsp; X and the acs servers are members of x.</P><P> - Child domains are y and z</P><P></P><P>When I test authentication against the primary, I can login with a user from x,y, or z using domain notation (domain\username)&nbsp; or without domain notation (username)</P><P></P><P>When I test against the secondary ACS server, I can login using domain notation for x,y,z.&nbsp; But when I test with domain notation, it only works when the user is from the root domain X.&nbsp; So users from y and z must use domain notation.</P><P></P><P>The logs show the error as:</P><P><A href="https://10.12.2.34/avreports/servlet/GenericRedirector?command=submit&amp;__requesttype=immediate&amp;invokeSubmit=true&amp;__executableName=%2Fhome%2Facsadmin%2FFailure_Reason%2FAuthentication_Failure_Code_Lookup.rptdesign&amp;rptFailureReason=22056+Subject+not+found+in+the+applicable+identity+store%28s%29.&amp;__locale=en_US&amp;iportalID=TKNENRBYE&amp;__masterpage=false&amp;__newWindow=false" style="color: #ff0000; margin-top: 0pt;" target="_self" title="Click for failure reason details">22056 Subject not found in the applicable identity store(s)</A></P> Mon, 11 Mar 2019 01:59:11 GMT https://community.cisco.com/t5/network-access-control/cisco-5-3-cluster-domain-notation-only-required-when-using/m-p/1924263#M192462 tcroziercisco 2019-03-11T01:59:11Z https://community.cisco.com/t5/network-access-control/cisco-5-3-cluster-domain-notation-only-required-when-using/m-p/1924264#M192477 <HTML><HEAD></HEAD><BODY><P>More info:&nbsp; during the installation of the secondary unit, it was renamed and then reconnected to the root domain.</P></BODY></HTML> Mon, 09 Apr 2012 19:57:44 GMT https://community.cisco.com/t5/network-access-control/cisco-5-3-cluster-domain-notation-only-required-when-using/m-p/1924264#M192477 tcroziercisco 2012-04-09T19:57:44Z