06-16-2011 05:09 AM - edited 03-10-2019 06:10 PM
Dear,
When trying to authenticate a wifi user against AD we get the following message :
Authentication failed :
22056 Subject not found in the applicable identity store(s).
AD is reachable, it is the correct domain and the user can be found in the group defined in ACS.
What can be wrong ?
Many thanks,
Lieven
06-16-2011 05:30 AM
This error can be seen when a request is made with a protocol that is not supported by the identity store although this is unliekly in this case with AD
You should also check that identity store you are exepecting (AD) is in fact used to authenticate the request. If a different rule was hit than you expected it could end up not hitting AD. How many rules do you haev in the service selection policy? Does the identity policy have the AD selected as the identity source. Note if you are using the default polciies as defined at system intsllation and doing RADIUS this can be seen at:
Access Policies > Access Services > Default Netwrok Access > Identity
Suggest to look at the authntcation details for the request. You should see informatuion that includes the identity store that was accesed
06-16-2011 05:41 AM
15004 Matched rule |
15013 Selected Identity Store - |
24430 Authenticating user against Active Directory |
24412 User not found in Active Directory |
24210 Looking up User in Internal Users IDStore - MFC6900 |
24216 The user is not found in the internal users identity store. |
22016 Identity sequence completed iterating the IDStores |
22056 Subject not found in the applicable identity store(s). |
22058 The advanced option that is configured for an unknown user is used. |
22061 The 'Reject' advanced option is configured in case of a failed authentication request. |
12706 LEAP authentication failed; Finishing protocol. |
11504 Prepared EAP-Failure |
11003 Returned RADIUS Access-Reject |
Access Service: | Wireless |
Identity Store: | |
Authorization Profiles: | |
Exception Authorization Profiles: | |
Active Directory Domain: | msnet.railb.be |
Identity Group: | |
Access Service Selection Matched Rule: | Wireless |
Identity Policy Matched Rule: | Compatibility for exotic devices |
Selected Identity Stores: | AD1, Internal Users |
Query Identity Stores: | |
Selected Query Identity Stores: | |
Group Mapping Policy Matched Rule: | |
Authorization Policy Matched Rule: | |
Authorization Exception Policy Matched Rule: |
This is what we get, it is the correct rule that is addressed, what i find weird is the last part of the authentication
details, query id store, selected id store is empty...
06-16-2011 12:15 PM
It is certainly hitting the AD database so there is nothing that immediately springs to mind
Couple of thoughts:
- confirm the user name is as expected. This is also in the details
- Enable logging of interaction to AD by doing following on CLI
<<< need to wait a while for the prompt to come back. Not to worry >>>>
acs-config
Escape character is CNTL/D.
Username: ACSAdmin
Password:
cd-acs5-13-106/ACSAdmin(config-acs)# debug-adclient enable
exit
This enables full logging of traffic to AD agent
Can then view the logs using
show acs-logs filename ACSADAgent.log
May give some clues as to what is happening
Remember to disable the logging once you complete investigation
Thats about it. Hope this can help
08-08-2014 10:03 AM
I know this is 3+ years later but check the time on the ACS. My time was off by 1hr due to incorrect timezone setting. Once the correct timezone was entered the problem subsided.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide