12-06-2012 12:33 PM - edited 03-10-2019 07:52 PM
Hi, I have a new ACS 5.3 configure and a ASA5550 to authenticate VPN users using a remote LDAP server. Once I try to authenticate the users with the ACS it gives me the error message "22056 Subject not found in the applicable identity store(s)."
I checked out the documentation and have already configure the Identity store sequences to redirect everything to the LDAP server, I also did the Bind test and it says that is ok, but I still have the same problem.
I validated the Access Policies Menu, and tried to create a new Service Selection Rules, but whet I get to the option of modifying the Identity option I get the error: "This System Failure occurred: {0}. Your changes have not been saved.Click OK to return to the list page. " and I'm not able to modify the identity, not in this new option I created, nor in the ones already created in the ACS.
I appreciate any help.
Thanks..
12-06-2012 12:41 PM
Which bowser and type of version of the browser are you using?
12-06-2012 02:45 PM
Hi, I´m using Internet explorer 8.0 and Firefox Mozzilla 17.01
With the FireFox, I get the error ""This System Failure occurred: {0}. Your changes have not been saved.Click OK to return to the list page.
With IExplorer I'm able to change the Identity on the Default device Admin option to the one Identity Source pointing to the LDAP server, but I still get the message "22056 Subject not found in the applicable identity store(s)." when I test a connection with a VPN user,
12-10-2012 06:50 AM
This version of firefox is not yet supported. Note that patch 1 for ACS 5.4 will include support for later versions of firefox (at least up to version 16)
Are you processing RADIUS or TACACS+ requests. If the former and you are using the default services would need to change the identity source for "Default Network Access"
12-10-2012 11:35 AM
Hi, Yes I´m currently using only the IExplorer navigator.. The requests I'm processing them using TACACS+ and the default Device Admin Identity.
Thank you for your collaboration.
12-10-2012 06:05 PM
Please share your identity sequence configuration. Where in the sequence is this ldap server? Is there a database that may have the user account higher in the sequence?
Sent from Cisco Technical Support Android App
12-11-2012 05:30 AM
Couple suggestions:
- got to LDAP, Directory Organization tab and press "Test Configuration" and see that users and groups are returned
- Go to Monitoring and Reporting->Authentications - TACACS - Today and then press details and share output. Thsi wil clarify how the request was processed
12-11-2012 08:07 AM
Hi Jrabinow:
1. Test configuration in LDAP: Yes, it retrieves users and groups >100
2. Output of TACACS-Today:
Status: | Failed |
Failure Reason: | 22056 Subject not found in the applicable identity store(s). |
Logged At: | Dec 11, 2012 10:44 AM |
ACS Time: | Dec 11, 2012 10:44 AM |
ACS Instance: | cbo-acsgxni-2.co.xxx.com |
Authentication Method: | PAP_ASCII |
Authentication Type: | ASCII |
Privilege Level: | 1 |
User | |
Username: | joe@co.xxx.com |
Remote Address: | 0.0.0.0 |
Network Device | |
Network Device: | FW-GSI |
Network Device IP Address: | xx.xx.34.97 |
Network Device Groups: | Device Type:All Device Types:Firewall, Location:All Locations |
Access Policy | |
Access Service: | Default Device Admin |
Identity Store: | |
Selected Shell Profile: | |
Active Directory Domain: | |
Identity Group: | |
Access Service Selection Matched Rule : | Rule-2 |
Identity Policy Matched Rule: | Default |
Selected Identity Stores: | LDAP-SRV, LDAP-SRV |
Query Identity Stores: | |
Selected Query Identity Stores: | |
Group Mapping Policy Matched Rule: | |
Authorization Policy Matched Rule: | |
Authorization Exception Policy Matched Rule: |
Authentication Result |
---|
AuthenticationResult=UnknownUser |
Steps |
---|
Received TACACS+ Authentication START Request |
Evaluating Service Selection Policy |
Matched rule |
Selected Access Service - Default Device Admin |
Evaluating Identity Policy |
Matched Default Rule |
Selected Identity Store - |
TACACS+ will use the password prompt from global TACACS+ configuration. |
Returned TACACS+ Authentication Reply |
Received TACACS+ Authentication CONTINUE Request |
Using previously selected Access Service |
Evaluating Identity Policy |
Matched Default Rule |
Selected Identity Store - |
Sending request to primary LDAP server |
Authenticating user against LDAP Server |
User not found in LDAP Server |
Sending request to primary LDAP server |
Authenticating user against LDAP Server |
User not found in LDAP Server |
Identity sequence completed iterating the IDStores |
Subject not found in the applicable identity store(s). |
The advanced option that is configured for an unknown user is used. |
The 'Reject' advanced option is configured in case of a failed authentication request. |
Returned TACACS+ Authentication Reply |
Other | |
ACS Session ID: | cbo-acsgxni-2.co.xxx.com/142028392/109 |
Service: | Login |
AV Pairs: | |
Response Time: | 716 |
Other Attributes: | ACSVersion=acs-5.3.0.40-B.839 |
Thank you..
12-11-2012 07:34 AM
Hi,
The squence is (Identity Store Sequences):
Password Based
Autehntication adn Attribute Retrieval Search List:
Selected:
LDAP
Internal users.
Aditional Attribute Retrieval Serach List:
Selected:
LDAP
Internal users
Advance option:
Break Sequence
Thanks.
12-24-2018 06:29 AM
Hi
I know this is an old post but did you find solution to this issue?
Thank you
Pathy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide