Showing results for 
Search instead for 
Did you mean: 

ACS 5.2 - Authentication with AD -UPN

Level 1
Level 1

I am trying to configure RADUIS authentification using the UPN as a userame.

I always receive the following error

22056 Subject not found in the applicable identity store (s).

does any oun know why

Patrick Roch

8 Replies 8

Tiago Antunes
Cisco Employee
Cisco Employee


That message means that the ACS retrieved the string from the client credentials and tried to authenticate it against the configured identity store, however that username was not found there.

Can you please elaborate more about your setup?

What is the EAP method? PEAP/EAP-FAST/EAP-TLS?

And the inner authnetication method? MS-CHAPv2?

Are you using certs based authentication?

What is the Identity store? AD/LDAP/Internal ACS DB?

What is the username on that failed attempt log? Is that what you were expecting to see?




If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

hello - i was about to post a similar topic when i found this thread:

we're currently using ACS 4.0 to authenticate wireless users (PEAP) against Active Directory. this works fine and if a user logs in as or, ACS 4.0 strips the suffix and sends the username as j.bloggs to AD (see link below)

i'm having a problem duplicating this suffix removal for PEAP authentication in ACS 5 (running in a VM). i found the following link:

this works fine for PAP_ASCII but not for PEAP (EAP-MSCHAPv2) - any ideas on how to acheive this in ACS 5?



I thank for replys to my posting.

My configuration is using an external DB witch is ActiveDirectory.

We are doing PEAP and EAP-FAST both with MS-CHAP v2.

When we use the normal username (j.doe), it work, so my communication with AD is good.

It is when we use the UPN that it doen't. (



Thanks for replying to my post.

We are using an external DB witch is AD.

We are using PEAP and EAP-Fast with MS-CHAP-V2.

The setup work fin when we use the normal AD username (ex. j.doe) But when for the same user I what to use the UPN ( it is then that I receive the error message.




is "" a valid UPN suffix on your AD domain? i can authenticate users ok if their UPN suffix is valid - problem is that some users use non-valid UPN suffix's and i need to get ACS 5 to strip the suffix before its sent to AD (i.e. like ACS 4 does). if i can't get that working i'll have to see about adding all the possible UPN suffixs to the AD.


andy for me is an exemple.

but, in the configuration of the AD external identity sotre, my Active Directory Domain Name is :

And the UPN configure for my users are  Could this be a source of my trouble, and if so, I can I make it work.

Also when I go in the Directoy attribute tab, and I enter the username j.doe, and do select, it retreive the fuul attribute for that user and I see the UPN. Why I cannot use it I don't know.

Also this work in ACS 4.2......


what protocols are you using for your ACS 5 Access Service (see above) - do you have MS-CHAPv2 enabled? if you are using a valid UPN username for your AD it sounds like you have a different issue to me.



Does anyone have a solution for an EAP-PEAPv0/MSCHAPv2 authentication with the UPN as username?