09-17-2018 07:53 AM
Hi,
I have an ISE 2.3 (patch 4) deployment that is linked to our AD environment. Our AD username policy allows apostrophies (e.g. domain\dave.o'smith).
I have a staff WiFi area that uses the AD for authentication of users. Does ISE allow apostrophies, or should the user names be plain (i.e. domian\dave.osmith).
At the moment, I have the 22056 - subject not found in applicible identity stores.
Where in ISE 2.3 can I find a detailed log of which identity stores ISE has tried?
Thanks
Solved! Go to Solution.
09-17-2018 12:34 PM
09-17-2018 02:17 PM
That username should work, so expect it to be some other issue. On the live log, click on the details for the authentication event and it should tell you which identity store ISE tried. It should be listed in the Steps on the right hand side. See example below:
15041 | Evaluating Identity Policy |
22072 | Selected identity source sequence - All_User_ID_Stores |
15013 | Selected Identity Source - Internal Users |
24210 | Looking up User in Internal Users IDStore - EXAMPLE\admin |
24216 | The user is not found in the internal users identity store |
15013 | Selected Identity Source - All_AD_Join_Points |
24430 | Authenticating user against Active Directory - All_AD_Join_Points |
24325 | Resolving identity - EXAMPLE\admin |
24313 | Search for matching accounts at join point - example.com |
24315 | Single matching account found in domain - example.com |
24323 | Identity resolution detected single matching account |
24343 | RPC Logon request succeeded - admin@example.com |
24402 | User authentication against Active Directory succeeded - All_AD_Join_Points |
22037 | Authentication Passed |
09-17-2018 12:34 PM
09-20-2018 04:21 AM
After a bit of troubleshooting, I found that this was affecting Apple devices. Windows and Android were okay.
A quick Google showed me an atricle where it appears that since IOS 11, a feature called 'Smart Punctuation' is replacing the vertical apostrophe (hex27) with a slanted one (unicode 2018, 2019), depending on where in the sentance the apostrophe is placed.
See https://forums.developer.apple.com/thread/89706
09-17-2018 02:17 PM
That username should work, so expect it to be some other issue. On the live log, click on the details for the authentication event and it should tell you which identity store ISE tried. It should be listed in the Steps on the right hand side. See example below:
15041 | Evaluating Identity Policy |
22072 | Selected identity source sequence - All_User_ID_Stores |
15013 | Selected Identity Source - Internal Users |
24210 | Looking up User in Internal Users IDStore - EXAMPLE\admin |
24216 | The user is not found in the internal users identity store |
15013 | Selected Identity Source - All_AD_Join_Points |
24430 | Authenticating user against Active Directory - All_AD_Join_Points |
24325 | Resolving identity - EXAMPLE\admin |
24313 | Search for matching accounts at join point - example.com |
24315 | Single matching account found in domain - example.com |
24323 | Identity resolution detected single matching account |
24343 | RPC Logon request succeeded - admin@example.com |
24402 | User authentication against Active Directory succeeded - All_AD_Join_Points |
22037 | Authentication Passed |
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide