cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
23672
Views
0
Helpful
9
Replies

ACS 5.3 - 22056 Subject not found in the applicable identity store(s).

Carlos Reyes
Level 1
Level 1

Hi, I have a new ACS 5.3 configure and a ASA5550 to authenticate VPN users using a remote LDAP server. Once I try to authenticate the users with the ACS it gives me the error message "22056 Subject not found in the applicable identity store(s)."

I checked out the documentation and have already configure the Identity store sequences to redirect everything to the LDAP server, I also did the Bind test and it says that is ok, but I still have the same problem.

I validated the Access Policies Menu, and tried to create a new Service Selection Rules, but whet I get to the option of modifying the Identity option I get the error: "This System Failure occurred: {0}. Your changes have not been saved.Click OK to return to the list page. " and I'm not able to modify the identity, not in this new option I created, nor in the ones already created in the ACS.

I appreciate any help.

Thanks..

9 Replies 9

jrabinow
Level 7
Level 7

Which bowser and type of version of the browser are you using?

Hi, I´m using Internet explorer 8.0 and Firefox Mozzilla 17.01

With the FireFox, I get the error ""This System Failure occurred: {0}. Your changes have not been saved.Click OK to return to the list page.

With IExplorer I'm able to change the Identity on the Default device Admin option to the one Identity Source pointing to the LDAP server, but I still get the message "22056 Subject not found in the applicable identity store(s)." when I test a connection with a VPN user,

This version of firefox is not yet supported. Note that patch 1 for ACS 5.4 will include support for later versions of firefox (at least up to version 16)

Are you processing RADIUS or TACACS+ requests. If the former and you are using the default services would need to change the identity source for "Default Network Access"

Hi, Yes I´m currently using only the IExplorer navigator.. The requests I'm processing them using TACACS+ and the default Device Admin Identity.

Thank you for your collaboration.

Tarik Admani
VIP Alumni
VIP Alumni

Please share your identity sequence configuration. Where in the sequence is this ldap server? Is there a database that may have the user account higher in the sequence?


Sent from Cisco Technical Support Android App

Couple suggestions:

- got to LDAP, Directory Organization tab and press "Test Configuration" and see that users and groups are returned

- Go to Monitoring and Reporting->Authentications - TACACS - Today and then press details and share output. Thsi wil clarify how the request was processed

Hi Jrabinow:

1. Test configuration in LDAP: Yes, it retrieves users and groups >100

2. Output of TACACS-Today:

Status:

Failed

Failure Reason:

22056 Subject not found in the applicable identity store(s).

Logged At:

Dec 11, 2012 10:44 AM

ACS Time:

Dec 11, 2012 10:44 AM

ACS Instance:

cbo-acsgxni-2.co.xxx.com

Authentication Method:

PAP_ASCII

Authentication Type:

ASCII

Privilege Level:

1

User

Username:

joe@co.xxx.com

Remote Address:

0.0.0.0

Network Device

Network Device:

FW-GSI

Network Device IP Address:

xx.xx.34.97

Network Device Groups:

Device Type:All Device Types:Firewall, Location:All Locations

Access Policy

Access Service:

Default Device Admin

Identity Store:

Selected Shell Profile:

Active Directory Domain:

Identity Group:

Access Service Selection Matched Rule :

Rule-2

Identity Policy Matched Rule:

Default

Selected Identity Stores:

LDAP-SRV, LDAP-SRV

Query Identity Stores:

Selected Query Identity Stores:

Group Mapping Policy Matched Rule:

Authorization Policy Matched Rule:

Authorization Exception Policy Matched Rule:

Authentication Result

AuthenticationResult=UnknownUser
Type=Authentication
Authen-Reply-Status=Fail

Steps

Received TACACS+ Authentication START Request

Evaluating Service Selection Policy

Matched rule

Selected Access Service - Default Device Admin

Evaluating Identity Policy

Matched Default Rule

Selected Identity Store -

TACACS+ will use the password prompt from global TACACS+ configuration.

Returned TACACS+ Authentication Reply

Received TACACS+ Authentication CONTINUE Request

Using previously selected Access Service

Evaluating Identity Policy

Matched Default Rule

Selected Identity Store -

Sending request to primary LDAP server

Authenticating user against LDAP Server

User not found in LDAP Server

Sending request to primary LDAP server

Authenticating user against LDAP Server

User not found in LDAP Server

Identity sequence completed iterating the IDStores

Subject not found in the applicable identity store(s).

The advanced option that is configured for an unknown user is used.

The 'Reject' advanced option is configured in case of a failed authentication request.

Returned TACACS+ Authentication Reply

Other

ACS Session ID:

cbo-acsgxni-2.co.xxx.com/142028392/109

Service:

Login

AV Pairs:

Response Time:

716

Other Attributes:

ACSVersion=acs-5.3.0.40-B.839
ConfigVersionId=137
Device Port=32950
Protocol=Tacacs
Type=Authentication
Action=Login
Port=1590
Action=Login
Port=1590


Thank you..

Hi,

The squence is (Identity Store Sequences):

Password Based

Autehntication adn Attribute Retrieval Search List:

Selected:

LDAP

Internal users.

Aditional Attribute Retrieval Serach List:

Selected:

LDAP

Internal users

Advance option:

Break Sequence

Thanks.

Hi

 

I know this is an old post but did you find solution to this issue?

Thank you

Pathy

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: