Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4938
Views
0
Helpful
6
Replies

Can't authenticate user from AD through ISE

Go to solution
osamakajeji
Level 1
Level 1

‎05-08-2014 04:15 AM - edited ‎03-10-2019 09:41 PM

Dears

I'm trying to authenticate user from ISE after retrieving the groups from AD but can't be authenticated. 

Troubleshooting

from NAD

test aaa group radius <username in AD> <password in AD> new-code

authenticated was rejected

test aaa group radius <username in ISE> <password in ISE> new-code

authenticated success

- AD 2012

- ISE: 1.2  

- NAD: 3560 IOS ver 15

 

appreciate the assist

Thanks alot

 

 

Live Authentication output

Overview

Event

5400 Authentication failed

Username

mohammed.ali

Endpoint Id

 

Endpoint Profile

 

Authorization Profile

 

ISEPolicySetName

Default

IdentitySelectionMatchedRule

Default

 

Authentication Details

Source Timestamp

2014-05-09 06:03:46.592

Received Timestamp

2014-05-09 06:03:46.591

Policy Server

hlc-ise1

Event

5400 Authentication failed

Failure Reason

22056 Subject not found in the applicable identity store(s)

Resolution

Check whether the subject is present in any one of the chosen identity stores. Note that some identity stores may have been skipped if they do not support the current authentication protocol.

Root cause

Subject not found in the applicable identity store(s).

Username

mohammed.ali

User Type

 

Endpoint Id

 

Endpoint Profile

 

IP Address

 

Identity Store

 

Identity Group

 

Audit Session Id

 

Authentication Method

PAP_ASCII

Authentication Protocol

PAP_ASCII

Service Type

Login

Network Device

Access-Sw1

Device Type

 

Location

 

NAS IP Address

1.1.1.1

NAS Port Id

 

NAS Port Type

Async

Authorization Profile

 

Posture Status

 

Security Group

 

Response Time

7

Overview

Event

5400 Authentication failed

Username

mohammed.ali

Endpoint Id

 

Endpoint Profile

 

Authorization Profile

 

ISEPolicySetName

Default

IdentitySelectionMatchedRule

Default

 

Authentication Details

Source Timestamp

2014-05-09 06:03:46.592

Received Timestamp

2014-05-09 06:03:46.591

Policy Server

hlc-ise1

Event

5400 Authentication failed

Failure Reason

22056 Subject not found in the applicable identity store(s)

Resolution

Check whether the subject is present in any one of the chosen identity stores. Note that some identity stores may have been skipped if they do not support the current authentication protocol.

Root cause

Subject not found in the applicable identity store(s).

Username

mohammed.ali

User Type

 

Endpoint Id

 

Endpoint Profile

 

IP Address

 

Identity Store

 

Identity Group

 

Audit Session Id

 

Authentication Method

PAP_ASCII

Authentication Protocol

PAP_ASCII

Service Type

Login

Network Device

Access-Sw1

Device Type

 

Location

 

NAS IP Address

1.1.1.1

NAS Port Id

 

NAS Port Type

Async

Authorization Profile

 

Posture Status

 

Security Group

 

Response Time

7

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
kaaftab
Level 4
Level 4

‎05-09-2014 01:13 AM

from the out put mentioned it mean the user is not present in the data store .It can be due to wrong policy to authenticate or user not part of the ou or group used in the policy

View solution in original post

0 Helpful
6 Replies 6

Go to solution
kaaftab
Level 4
Level 4

‎05-09-2014 01:13 AM

from the out put mentioned it mean the user is not present in the data store .It can be due to wrong policy to authenticate or user not part of the ou or group used in the policy

0 Helpful

Go to solution
osamakajeji
Level 1
Level 1
In response to kaaftab

‎05-09-2014 03:52 AM

Thanks for your response but the authenticate policy is been configured as the below screenshot (check the attached) and i'm sure the user is part from a group

Preview file
23 KB
0 Helpful

Go to solution
Saurav Lodh
Level 7
Level 7
In response to osamakajeji

‎05-09-2014 04:17 AM

You are saying your users are from AD, however you are pointing the IDstore use as "internal users". Please use AD if users are from AD, then ISE would be querying AD not internal database

0 Helpful

Go to solution
osamakajeji
Level 1
Level 1
In response to Saurav Lodh

‎05-09-2014 04:30 AM

it's just pointing to AD, the screen shot was incorrect.

sorry for that

check attached plz

Preview file
42 KB
0 Helpful

Go to solution
kaaftab
Level 4
Level 4
In response to osamakajeji

‎05-09-2014 05:09 AM

Hi for simplicity just disable all other rules where internal user are used and check against the log and if you compare your log with the sreen short you can see that your default policy is used and in that you have mentioned that user belong to internal data base and its the reason for this.

 

********Do rate helpful links ******

0 Helpful

Go to solution
osamakajeji
Level 1
Level 1
In response to kaaftab

‎05-11-2014 12:49 AM

Dear kaaflab

Thanks a lot for your support.

it's working now, the OU in AD was missing.

 

0 Helpful
Customers Also Viewed These Support Documents