cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

765
Views
0
Helpful
1
Replies
Highlighted
Beginner

ACS 5.4 w/ 20,000 async authorization errors: 22056 Subject Not Found in the applicable identity store.

Hello

We have an ACS 5.4 w/ 20,000 async authorization errors:

 

22056 Subject not found in the applicable identity store.

 

The associated IP address is a Cisco Async router.

 

We added no exec to stop authentication errors but continue to have authorization errors.

 

line 0/0/0 0/0/15

no exec

transport input telnet

 

How do I get rid of the errors that are negatively impacting router CPU utilization?

Everyone's tags (1)
1 REPLY 1
Cisco Employee

Problem: 22056 Subject not

Problem: 22056 Subject not found in the applicable identity store(s)

AD users do not get authenticated with ACS version 5.x and receive this error message: 22056 Subject not found in the applicable identity store(s).

Solution

This error message occurs when the ACS failed to find the user in the first listed database that is configured in the Identity store sequence. This is an informational message and does not affect the performance of the ACS. The way that ACS 5.x performs the authentication for internal or external users is different than the previous 4.x version. With the 5.x version, there is an option called Identity Store Sequence to define the sequence of user databases to be authenticated. For more information, refer to Configuring Identity Store Sequences.

If you receive this error when you are using the ACS to authenticate requests against a Child Domain, then you have to add a UPN suffix or NETBIOS prefix to the username. For more information, refer to the Notes in the Microsoft AD section.

 

http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113485-acs5x-tshoot.html#p6