Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2605
Views
5
Helpful
6
Replies

HP-device 22056 Subject not found in the applicable identity store(s)

Go to solution
getaway51
Level 2
Level 2

‎11-10-2019 05:45 PM

Hi,

 

The device is a MatchedPolicy: HP-Device which is automatically by ISE. 

Customized into IdentityGroup: Laptop-mab

The device seems to use RadiusFlowType: WiredMAB.

FailureReason: 22056 Subject not found in the applicable identity store(s)

 

Since this is a laptop, it supposed to use 802.1X, then MAB. Wht is the FailureReason means?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Arne Bier
VIP
VIP
In response to getaway51

‎11-12-2019 02:13 PM

Hi

 

Yes that will perform Concurrent Authentication

 

Here is the "classic mode" where folks do one after the other - first 802.1X, then MAB

event session-started match-all
 10 class always do-until-failure
  10 authenticate using dot1x priority 10
event authentication-failure match-first
 5 class AI_DOT1X_FAILED do-until-failure
  10 terminate dot1x
  20 authenticate using mab priority 20

 

And the Concurrent auth looks like this

 

event session-started match-all
 10 class always do-until-failure
  10 authenticate using dot1x priority 10
  20 authenticate using mab priority 20
event authentication-failure match-first
 5 class AI_DOT1X_FAILED do-until-failure
  10 terminate dot1x
  20 authenticate using mab priority 20

There is a great document below shows this very nicely:

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2016/pdf/LTRSEC-2017-LG.pdf

 

What do you want to do with MAB requests that come into ISE? Do you have Endpoint Identity Groups? Do you want to match based on Endpoint Profiles (i.e. ISE Profiling) ? Do you want to allow any device on regardless and place them in VLAN 999 for profiling or guest VLAN?  All these questions need answering. It's probably common to never reject a MAB request, and to place "unknown/untrusted" devices into a VLAN until further notice. That might mean it's a guest VLAN with internet. Or it may be a VLAN that you use to give the device an IP address and let ISE profile for a while - and then once it's been profiled, ISE can send a CoA and kick the device into the appropriate VLAN.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Arne Bier
VIP
VIP

‎11-10-2019 06:55 PM

It appears that the laptop supplicant is not doing 802.1X for some reason. You need to show us the switch port config to help prove that point, as well as the laptop's supplicant config.

If switch is configured to perform 802.1X, then MAB, then it means the supplicant did not send any EAPOL frames, and nor did it respond to the switch's EAP requests. The laptop then probably sent a DHCP discovery and the switch converted that into a MAB request and sent it to ISE. You clearly have a wired MAB policy, but since you didn't expect this laptop to send a MAB request, you would not have had its MAC address stored anywhere - hence, MAB auth failed with that message.

 

If there is a supplicant on the laptop and it works well, yet you still get these ISE errors, then it may be that you're doing IBNS 2.0 with the parallel 802.1X/MAB event feature - IBNS 2.0 allows both events to trigger at the same time instead of running in series (with a timeout). This is a nice thing, but would result in two auths each time and one of them would be a failure. Probably to be used in very specific cases only. 

Go to solution
getaway51
Level 2
Level 2
In response to Arne Bier

‎11-10-2019 08:04 PM

Hi Arne,

 

Many thanks for yr good explanation.

Under the Context visibility->endpoints->authentication, i can see nothing there.

But under attributes, i can see radius flow is MAB. The device has been customized into identity group laptop-mab,

 

Cpuld it be tht laptop didnt log in to the AD means nt running any auth like just leave the machine ON w/o logging in or already logout frm AD? 

In "22056 Subject not found in the applicable identity store(s)", applicable identity store here refers to identity group laptop-mab?

Actually i found many endpoints with this message, even though these ep has been added into an identity grp-laptop-mab which PASS authorization policy (not DENY access) 

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to getaway51

‎11-10-2019 08:50 PM

The part you need to investigate is the port config on the switch.

I am pretty sure now that it's IBNS 2.0 - you would need to share with us your "policy-map type control subscriber" so that we can confirm whether you are doing parallel auth mode (the class maps around "event session-started" )

 

Also, look in Live Logs and Reports. Context Visibility is probably not the best place to monitor the system.

 

The cause of all of this could either be

  1. You're running IBNS 2.0 with concurrent event processing enabled  and/or
  2. The laptop supplicant is not configured correctly - if it were, then the switch would never need to send a MAB request to ISE. If supplicant is configured for 802.1X Machine Authentication, then you will get a network auth event during laptop boot up, and when users log out of a session. When users log into Windows, then no network auth event should be seen on switch (unless User Auth is also enabled in the supplicant. Bottom line: you need to investigate the supplicant.

 

 

0 Helpful

Go to solution
getaway51
Level 2
Level 2
In response to Arne Bier

‎11-12-2019 05:27 AM

Hi Arne,

Is this "parallel auth mode"?

policy-map type control subscriber CONCURRENT_DOT1X_MAB
event session-started match-all
10 class always do-until-failure
10 authenticate using dot1x priority 10
20 authenticate using mab priority 20

Does it means i dont need to worry about the device as long as I placed the device in laptop-mab identity grp where ALLOW all traffic? Also since DOT1X take precedence, MAB will take place if DOT1X fail & will goes into laptop-mab identity group.

Can i assume that EITHER one method goes through will also allow the device to work?    

 

0 Helpful

Go to solution
Arne Bier
VIP
VIP
In response to getaway51

‎11-12-2019 02:13 PM

Hi

 

Yes that will perform Concurrent Authentication

 

Here is the "classic mode" where folks do one after the other - first 802.1X, then MAB

event session-started match-all
 10 class always do-until-failure
  10 authenticate using dot1x priority 10
event authentication-failure match-first
 5 class AI_DOT1X_FAILED do-until-failure
  10 terminate dot1x
  20 authenticate using mab priority 20

 

And the Concurrent auth looks like this

 

event session-started match-all
 10 class always do-until-failure
  10 authenticate using dot1x priority 10
  20 authenticate using mab priority 20
event authentication-failure match-first
 5 class AI_DOT1X_FAILED do-until-failure
  10 terminate dot1x
  20 authenticate using mab priority 20

There is a great document below shows this very nicely:

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2016/pdf/LTRSEC-2017-LG.pdf

 

What do you want to do with MAB requests that come into ISE? Do you have Endpoint Identity Groups? Do you want to match based on Endpoint Profiles (i.e. ISE Profiling) ? Do you want to allow any device on regardless and place them in VLAN 999 for profiling or guest VLAN?  All these questions need answering. It's probably common to never reject a MAB request, and to place "unknown/untrusted" devices into a VLAN until further notice. That might mean it's a guest VLAN with internet. Or it may be a VLAN that you use to give the device an IP address and let ISE profile for a while - and then once it's been profiled, ISE can send a CoA and kick the device into the appropriate VLAN.

0 Helpful

Go to solution
getaway51
Level 2
Level 2
In response to Arne Bier

‎11-12-2019 09:25 PM

Hi Arne,

 

Many many thanks for yr marvelous reply. Really appreciate tht.

1)What do you want to do with MAB requests that come into ISE?-if the device is in customized "Endpoint Identity Groups",it will PASS both dot1x and MAB? 

If the device is NOT in customized "Endpoint Identity Groups", it will PASS dot1x and FAIL MAB?

Are these correct?

2)Do you have Endpoint Identity Groups? YES, customized "Endpoint Identity Groups" with ALLOW rules in authorization policy.  

3)Do you want to match based on Endpoint Profiles (i.e. ISE Profiling) ? This is the part I dont really get it. Normally 

Policy Assignment is by default, Identity Group Assignment will be manually select configured "Endpoint Identity Groups" like laptop-mab, cctv-mab.etc. Is "Endpoint Profiles" like the default ISE "profiled" defined the authentication part?

fyi, the authentication policy is "internal endpoints"-allow all which I think is ALL endpoints falls under this, there ALL devices shall be ALLOW-no blocked.  -not sure if my understanding is correct?

 

4)Do you want to allow any device on regardless and place them in VLAN 999 for profiling or guest VLAN? 

Does this require additional config in switches or ISE? I am not sure wht how the auth process works for these "VLAN 999 for profiling or guest VLAN"

 

All these questions need answering. It's probably common to never reject a MAB request, and to place "unknown/untrusted" devices into a VLAN until further notice. That might mean it's a guest VLAN with internet. Or it may be a VLAN that you use to give the device an IP address and let ISE profile for a while - and then once it's been profiled, ISE can send a CoA and kick the device into the appropriate VLAN.

-Is this setup same config like 802.1X-BYOD?

In terms of config in switches and ISE, is it complicated?

Layman term, can i say tht the guest come into the company with their laptop? then their access will goes thru ISE and i will be controlled by dynamic ACL in the switch. correct?  

0 Helpful
Customers Also Viewed These Support Documents