ACS 5.2 - Authentication with AD -UPN

PATRICK ROCH · ‎12-06-2010

I am trying to configure RADUIS authentification using the UPN as a userame.

I always receive the following error

22056 Subject not found in the applicable identity store (s).

does any oun know why

Patrick Roch

Tiago Antunes · ‎12-08-2010

Hi,

That message means that the ACS retrieved the string from the client credentials and tried to authenticate it against the configured identity store, however that username was not found there.

Can you please elaborate more about your setup?

What is the EAP method? PEAP/EAP-FAST/EAP-TLS?

And the inner authnetication method? MS-CHAPv2?

Are you using certs based authentication?

What is the Identity store? AD/LDAP/Internal ACS DB?

What is the username on that failed attempt log? Is that what you were expecting to see?

HTH,

Tiago

--

If this helps you and/or answers your question please mark the question as "answered" and/or rate it, so other users can easily find it.

andrewswanson · ‎12-08-2010

hello - i was about to post a similar topic when i found this thread:

we're currently using ACS 4.0 to authenticate wireless users (PEAP) against Active Directory. this works fine and if a user logs in as j.bloggs@acme.com or j.bloggs@another.acme.com, ACS 4.0 strips the suffix and sends the username as j.bloggs to AD (see link below)

http://cisco.biz/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.0/user/guide/d.html#wp353993

i'm having a problem duplicating this suffix removal for PEAP authentication in ACS 5 (running 5.1.0.44 in a VM). i found the following link:

https://supportforums.cisco.com/docs/DOC-13714?decorator=print

this works fine for PAP_ASCII but not for PEAP (EAP-MSCHAPv2) - any ideas on how to acheive this in ACS 5?

thanks

andy

PATRICK ROCH · ‎12-08-2010

I thank for replys to my posting.

My configuration is using an external DB witch is ActiveDirectory.

We are doing PEAP and EAP-FAST both with MS-CHAP v2.

When we use the normal username (j.doe), it work, so my communication with AD is good.

It is when we use the UPN that it doen't. (john.doe@acme.com)

thanks

Patrick

PATRICK ROCH · ‎12-08-2010

Thanks for replying to my post.

We are using an external DB witch is AD.

We are using PEAP and EAP-Fast with MS-CHAP-V2.

The setup work fin when we use the normal AD username (ex. j.doe) But when for the same user I what to use the UPN (john.doe@acme.com) it is then that I receive the error message.

Thanks

Patrick

andrewswanson · ‎12-08-2010

hi

is "acme.com" a valid UPN suffix on your AD domain? i can authenticate users ok if their UPN suffix is valid - problem is that some users use non-valid UPN suffix's and i need to get ACS 5 to strip the suffix before its sent to AD (i.e. like ACS 4 does). if i can't get that working i'll have to see about adding all the possible UPN suffixs to the AD.

cheers

andy

PATRICK ROCH · ‎12-08-2010

acme.com for me is an exemple.

but, in the configuration of the AD external identity sotre, my Active Directory Domain Name is : SIM.acme.com

And the UPN configure for my users are john.doe@acme.com. Could this be a source of my trouble, and if so, I can I make it work.

Also when I go in the Directoy attribute tab, and I enter the username j.doe, and do select, it retreive the fuul attribute for that user and I see the UPN. Why I cannot use it I don't know.

Also this work in ACS 4.2......

Patrick

andrewswanson · ‎12-08-2010

what protocols are you using for your ACS 5 Access Service (see above) - do you have MS-CHAPv2 enabled? if you are using a valid UPN username for your AD it sounds like you have a different issue to me.

cheers

andy

Lukas Bielinski · ‎09-04-2013

Does anyone have a solution for an EAP-PEAPv0/MSCHAPv2 authentication with the UPN as username?