cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5341
Views
0
Helpful
6
Replies

Can't authenticate user from AD through ISE

osamakajeji
Level 1
Level 1

Dears

I'm trying to authenticate user from ISE after retrieving the groups from AD but can't be authenticated. 

Troubleshooting

from NAD

test aaa group radius <username in AD> <password in AD> new-code

authenticated was rejected

test aaa group radius <username in ISE> <password in ISE> new-code

authenticated success

- AD 2012

- ISE: 1.2  

- NAD: 3560 IOS ver 15

 

appreciate the assist

Thanks alot

 

 

Live Authentication output

Overview

Event

5400 Authentication failed

Username

mohammed.ali

Endpoint Id

 

Endpoint Profile

 

Authorization Profile

 

ISEPolicySetName

Default

IdentitySelectionMatchedRule

Default

 

Authentication Details

Source Timestamp

2014-05-09 06:03:46.592

Received Timestamp

2014-05-09 06:03:46.591

Policy Server

hlc-ise1

Event

5400 Authentication failed

Failure Reason

22056 Subject not found in the applicable identity store(s)

Resolution

Check whether the subject is present in any one of the chosen identity stores. Note that some identity stores may have been skipped if they do not support the current authentication protocol.

Root cause

Subject not found in the applicable identity store(s).

Username

mohammed.ali

User Type

 

Endpoint Id

 

Endpoint Profile

 

IP Address

 

Identity Store

 

Identity Group

 

Audit Session Id

 

Authentication Method

PAP_ASCII

Authentication Protocol

PAP_ASCII

Service Type

Login

Network Device

Access-Sw1

Device Type

 

Location

 

NAS IP Address

1.1.1.1

NAS Port Id

 

NAS Port Type

Async

Authorization Profile

 

Posture Status

 

Security Group

 

Response Time

7

Overview

Event

5400 Authentication failed

Username

mohammed.ali

Endpoint Id

 

Endpoint Profile

 

Authorization Profile

 

ISEPolicySetName

Default

IdentitySelectionMatchedRule

Default

 

Authentication Details

Source Timestamp

2014-05-09 06:03:46.592

Received Timestamp

2014-05-09 06:03:46.591

Policy Server

hlc-ise1

Event

5400 Authentication failed

Failure Reason

22056 Subject not found in the applicable identity store(s)

Resolution

Check whether the subject is present in any one of the chosen identity stores. Note that some identity stores may have been skipped if they do not support the current authentication protocol.

Root cause

Subject not found in the applicable identity store(s).

Username

mohammed.ali

User Type

 

Endpoint Id

 

Endpoint Profile

 

IP Address

 

Identity Store

 

Identity Group

 

Audit Session Id

 

Authentication Method

PAP_ASCII

Authentication Protocol

PAP_ASCII

Service Type

Login

Network Device

Access-Sw1

Device Type

 

Location

 

NAS IP Address

1.1.1.1

NAS Port Id

 

NAS Port Type

Async

Authorization Profile

 

Posture Status

 

Security Group

 

Response Time

7

1 Accepted Solution

Accepted Solutions

kaaftab
Level 4
Level 4

from the out put mentioned it mean the user is not present in the data store .It can be due to wrong policy to authenticate or user not part of the ou or group used in the policy

View solution in original post

6 Replies 6

kaaftab
Level 4
Level 4

from the out put mentioned it mean the user is not present in the data store .It can be due to wrong policy to authenticate or user not part of the ou or group used in the policy

Thanks for your response but the authenticate policy is been configured as the below screenshot (check the attached) and i'm sure the user is part from a group

You are saying your users are from AD, however you are pointing the IDstore use as "internal users". Please use AD if users are from AD, then ISE would be querying AD not internal database

it's just pointing to AD, the screen shot was incorrect.

sorry for that

check attached plz

Hi for simplicity just disable all other rules where internal user are used and check against the log and if you compare your log with the sreen short you can see that your default policy is used and in that you have mentioned that user belong to internal data base and its the reason for this.

 

********Do rate helpful links ******

Dear kaaflab

Thanks a lot for your support.

it's working now, the OU in AD was missing.