https://community.cisco.com/t5/network-access-control/acs-5-2-authentication-with-ad-upn/m-p/1512016#M253850 <HTML><HEAD></HEAD><BODY><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/1/0/4/9401-ACS%205%20Access%20Services.jpg" class="jive-image" /></P><P>what protocols are you using for your ACS 5 Access Service (see above) - do you have MS-CHAPv2 enabled? if you are using a valid UPN username for your AD it sounds like you have a different issue to me.</P><P>cheers</P><P>andy</P></BODY></HTML> Wed, 08 Dec 2010 15:59:54 GMT andrewswanson 2010-12-08T15:59:54Z https://community.cisco.com/t5/network-access-control/acs-5-2-authentication-with-ad-upn/m-p/1512009#M253843 <P>I am trying to configure RADUIS authentification using the UPN as a userame.</P><P>I always receive the following error</P><P></P><P></P><P>22056 Subject not found in the applicable identity store (s).</P><P></P><P>does any oun know why</P><P></P><P>Patrick Roch</P> Tue, 26 Mar 2019 00:27:33 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-authentication-with-ad-upn/m-p/1512009#M253843 PATRICK ROCH 2019-03-26T00:27:33Z https://community.cisco.com/t5/network-access-control/acs-5-2-authentication-with-ad-upn/m-p/1512010#M253844 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>That message means that the ACS retrieved the string from the client credentials and tried to authenticate it against the configured identity store, however that username was not found there.</P><P></P><P>Can you please elaborate more about your setup?</P><P>What is the EAP method? PEAP/EAP-FAST/EAP-TLS?</P><P>And the inner authnetication method? MS-CHAPv2?</P><P>Are you using certs based authentication?</P><P></P><P>What is the Identity store? AD/LDAP/Internal ACS DB?</P><P></P><P>What is the username on that failed attempt log? Is that what you were expecting to see?</P><P></P><P>HTH,</P><P>Tiago</P><P></P><DIV class="jive-rendered-content"><DIV class="jive-rendered-content"><P>--</P><P>If&nbsp; this helps you and/or answers your question please mark the question as&nbsp; "answered" and/or rate it, so other users can easily find it.</P></DIV></DIV></BODY></HTML> Wed, 08 Dec 2010 10:08:34 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-authentication-with-ad-upn/m-p/1512010#M253844 Tiago Antunes 2010-12-08T10:08:34Z https://community.cisco.com/t5/network-access-control/acs-5-2-authentication-with-ad-upn/m-p/1512011#M253845 <HTML><HEAD></HEAD><BODY><P>hello - i was about to post a similar topic when i found this thread:</P><P></P><P><SPAN style="font-size: 10pt;"></SPAN></P><P><SPAN>we're currently using ACS 4.0 to authenticate wireless users (PEAP) against Active Directory. this works fine and if a user logs in as </SPAN><A class="jive-link-email-small" href="mailto:j.bloggs@acme.com">j.bloggs@acme.com</A><SPAN> or </SPAN><A class="jive-link-email-small" href="mailto:j.bloggs@another.acme.com">j.bloggs@another.acme.com</A><SPAN>, ACS 4.0 strips the suffix and sends the username as j.bloggs to AD (see link below)</SPAN></P><P></P><P><A href="http://cisco.biz/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/d.html#wp353993">http://cisco.biz/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/d.html#wp353993</A></P><P></P><P>i'm having a problem duplicating this suffix removal for PEAP authentication in ACS 5 (running 5.1.0.44 in a VM). i found the following link:</P><P></P><P><A href="https://community.cisco.com/docs/DOC-13714?decorator=print">https://supportforums.cisco.com/docs/DOC-13714?decorator=print</A></P><P></P><P>this works fine for PAP_ASCII but not for PEAP (EAP-MSCHAPv2) - any ideas on how to acheive this in ACS 5?</P><P></P><P>thanks</P><P>andy</P><P></P></BODY></HTML> Wed, 08 Dec 2010 13:12:30 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-authentication-with-ad-upn/m-p/1512011#M253845 andrewswanson 2010-12-08T13:12:30Z https://community.cisco.com/t5/network-access-control/acs-5-2-authentication-with-ad-upn/m-p/1512012#M253846 <HTML><HEAD></HEAD><BODY><P>I thank for replys to my posting.</P><P></P><P>My configuration is using an external DB witch is ActiveDirectory.</P><P>We are doing PEAP and EAP-FAST both with MS-CHAP v2.</P><P></P><P>When we use the normal username (j.doe), it work, so my communication with AD is good.</P><P><SPAN>It is when we use the UPN that it doen't. (</SPAN><A class="jive-link-email-small" href="mailto:john.doe@acme.com">john.doe@acme.com</A><SPAN>)</SPAN></P><P></P><P>thanks</P><P></P><P>Patrick</P></BODY></HTML> Wed, 08 Dec 2010 15:24:20 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-authentication-with-ad-upn/m-p/1512012#M253846 PATRICK ROCH 2010-12-08T15:24:20Z https://community.cisco.com/t5/network-access-control/acs-5-2-authentication-with-ad-upn/m-p/1512013#M253847 <HTML><HEAD></HEAD><BODY><P>Thanks for replying to my post.</P><P></P><P>We are using an external DB witch is AD.</P><P></P><P>We are using PEAP and EAP-Fast with MS-CHAP-V2.</P><P></P><P><SPAN>The setup work fin when we use the normal AD username (ex. j.doe) But when for the same user I what to use the UPN (</SPAN><A class="jive-link-email-small" href="mailto:john.doe@acme.com">john.doe@acme.com</A><SPAN>) it is then that I receive the error message.</SPAN></P><P></P><P></P><P>Thanks</P><P></P><P>Patrick</P></BODY></HTML> Wed, 08 Dec 2010 15:27:06 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-authentication-with-ad-upn/m-p/1512013#M253847 PATRICK ROCH 2010-12-08T15:27:06Z https://community.cisco.com/t5/network-access-control/acs-5-2-authentication-with-ad-upn/m-p/1512014#M253848 <HTML><HEAD></HEAD><BODY><P>hi</P><P>is "acme.com" a valid UPN suffix on your AD domain? i can authenticate users ok if their UPN suffix is valid - problem is that some users use non-valid UPN suffix's and i need to get ACS 5 to strip the suffix before its sent to AD (i.e. like ACS 4 does). if i can't get that working i'll have to see about adding all the possible UPN suffixs to the AD.</P><P>cheers</P><P>andy</P></BODY></HTML> Wed, 08 Dec 2010 15:38:32 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-authentication-with-ad-upn/m-p/1512014#M253848 andrewswanson 2010-12-08T15:38:32Z https://community.cisco.com/t5/network-access-control/acs-5-2-authentication-with-ad-upn/m-p/1512015#M253849 <HTML><HEAD></HEAD><BODY><P>acme.com for me is an exemple.</P><P></P><P>but, in the configuration of the AD external identity sotre, my Active Directory Domain Name is : SIM.acme.com</P><P></P><P><SPAN>And the UPN configure for my users are </SPAN><A class="jive-link-email-small" href="mailto:john.doe@acme.com">john.doe@acme.com</A><SPAN>.&nbsp; Could this be a source of my trouble, and if so, I can I make it work.</SPAN></P><P></P><P>Also when I go in the Directoy attribute tab, and I enter the username j.doe, and do select, it retreive the fuul attribute for that user and I see the UPN. Why I cannot use it I don't know.</P><P></P><P>Also this work in ACS 4.2......</P><P></P><P>Patrick</P></BODY></HTML> Wed, 08 Dec 2010 15:44:47 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-authentication-with-ad-upn/m-p/1512015#M253849 PATRICK ROCH 2010-12-08T15:44:47Z https://community.cisco.com/t5/network-access-control/acs-5-2-authentication-with-ad-upn/m-p/1512016#M253850 <HTML><HEAD></HEAD><BODY><P><IMG src="http://supportforums.cisco.com/sites/default/files/legacy/1/0/4/9401-ACS%205%20Access%20Services.jpg" class="jive-image" /></P><P>what protocols are you using for your ACS 5 Access Service (see above) - do you have MS-CHAPv2 enabled? if you are using a valid UPN username for your AD it sounds like you have a different issue to me.</P><P>cheers</P><P>andy</P></BODY></HTML> Wed, 08 Dec 2010 15:59:54 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-authentication-with-ad-upn/m-p/1512016#M253850 andrewswanson 2010-12-08T15:59:54Z https://community.cisco.com/t5/network-access-control/acs-5-2-authentication-with-ad-upn/m-p/1512017#M253851 <HTML><HEAD></HEAD><BODY><P>Does anyone have a solution for an EAP-PEAPv0/MSCHAPv2 authentication with the UPN as username?</P></BODY></HTML> Wed, 04 Sep 2013 14:06:51 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-authentication-with-ad-upn/m-p/1512017#M253851 Lukas Bielinski 2013-09-04T14:06:51Z