Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2772
Views
1
Helpful
4
Replies

ACS 5.2 AD user not found

lni1
Level 1
Level 1

‎06-16-2011 05:09 AM - edited ‎03-10-2019 06:10 PM

Dear,

When trying to authenticate a wifi user against AD we get the following message :

Authentication failed :

22056 Subject not found in the applicable identity store(s).

AD is reachable, it is the correct domain and the user can be found in the group defined in ACS.

What can be wrong ?

Many thanks,

Lieven

Labels:
0 Helpful
4 Replies 4

jrabinow
Level 7
Level 7

‎06-16-2011 05:30 AM

This error can be seen when a request is made with a protocol that is not supported by the identity store although this is unliekly in this case with AD

You should also check that identity store you are exepecting (AD) is in fact used to authenticate the request. If a different rule was hit than you expected it could end up not hitting AD. How many rules do you haev in the service selection policy? Does the identity policy have the AD selected as the identity source. Note if you are using the default polciies as defined at system intsllation and doing RADIUS this can be seen at:

Access Policies > Access Services > Default Netwrok Access > Identity

Suggest to look at the authntcation details for the request. You should see informatuion that includes the identity store that was accesed

lni1
Level 1
Level 1
In response to jrabinow

‎06-16-2011 05:41 AM

15004  Matched rule

15013  Selected Identity Store -

24430  Authenticating user against Active  Directory
24412  User not found in Active  Directory
24210  Looking up User in Internal Users IDStore -  MFC6900
24216  The user is not found in the internal users  identity store.
22016  Identity sequence completed iterating the  IDStores
22056  Subject not found in the applicable identity  store(s).
22058  The advanced option that is configured for  an unknown user is used.
22061  The 'Reject' advanced option is configured  in case of a failed authentication request.
12706  LEAP authentication failed; Finishing  protocol.

11504  Prepared EAP-Failure

11003  Returned RADIUS Access-Reject

Access Service:

Wireless

Identity Store:

Authorization Profiles:

Exception Authorization Profiles:

Active Directory Domain:

msnet.railb.be

Identity Group:

Access Service Selection Matched Rule:

Wireless

Identity Policy Matched Rule:

Compatibility for exotic devices

Selected Identity Stores:

AD1, Internal Users

Query Identity Stores:

Selected Query Identity Stores:

Group Mapping Policy Matched Rule:

Authorization Policy Matched Rule:

Authorization Exception Policy Matched  Rule:

This is what we get, it is the correct rule that is addressed, what i find weird is the last part of the authentication

details, query id store, selected id store is empty...

0 Helpful

jrabinow
Level 7
Level 7
In response to lni1

‎06-16-2011 12:15 PM

It is certainly hitting the AD database so there is nothing that immediately springs to mind

Couple of thoughts:

- confirm the user name is as expected. This is also in the details

- Enable logging of interaction to AD by doing following on CLI

<<< need to wait a while for the prompt to come back. Not to worry >>>>

acs-config
Escape character is CNTL/D.


Username: ACSAdmin
Password:

cd-acs5-13-106/ACSAdmin(config-acs)# debug-adclient enable

exit

This enables full logging of traffic to AD agent

Can then view the logs using

show acs-logs filename ACSADAgent.log

May give some clues as to what is happening

Remember to disable the logging once you complete investigation

Thats about it. Hope this can help

0 Helpful

Will Shryock
Level 1
Level 1

‎08-08-2014 10:03 AM

I know this is 3+ years later but check the time on the ACS.  My time was off by 1hr due to incorrect timezone setting.  Once the correct timezone was entered the problem subsided. 

0 Helpful
Customers Also Viewed These Support Documents