ACS 5.X Identity Sequence Store problem

I have a ACS 5.3 installation. Where I have build my own identity store sequence store. It simple uses AD first and localusers as number two store. My users can login successfully if user existing on AD. But if a user is not exists on AD it should look for localusers, and this part dosent work for me.  I am using Rule based result selection in my identity. 

The log shows me that ACS are only using AD and not the localusers. I have changed my advanced option to continue to next store if user are not found. But it dosent work.

Has anybody seen this problem before?

 

This is the authentication log:

 

Status:    Failed
Failure Reason:    22056 Subject not found in the applicable identity store(s).

Logged At:    May 02, 2015 3:41 PM
ACS Time:    May 02, 2015 3:41 PM
ACS Instance:    MYACS

Authentication Method:    PAP_ASCII
Authentication Type:    ASCII
Privilege Level:    1
User
Username:    test-username

Remote Address:    22.50.189.20
Network Device
Network Device:    mydevice

Network Device IP Address:    172.116.118.10
Network Device Groups:    Device Type:All Device Types:Switche-intra, Location:All Locations:Data-
Access Policy
Access Service:    Default Device Admin

Identity Store:    
Selected Shell Profile:    
Active Directory Domain:    mypc.mydomain.local
Identity Group:    
Access Service Selection Matched Rule :    Rule-2
Identity Policy Matched Rule:    Rule-1
Selected Identity Stores:    AD1, AD1 ??
Query Identity Stores:    
Selected Query Identity Stores:    
Group Mapping Policy Matched Rule:    
Authorization Policy Matched Rule:    
Authorization Exception Policy Matched Rule:    
Other
ACS Session ID:    s8897886
Service:    Login
AV Pairs:    
Response Time:    9
Other Attributes:    ACSVersion=acs-5.3.0.40-B.839
ConfigVersionId=112
Device Port=18417
Protocol=Tacacs
Type=Authentication
Action=Login
Port=tty3
Action=Login
Port=tty3

 

Received TACACS+ Authentication START Request
Evaluating Service Selection Policy
Matched rule
Selected Access Service - Default Device Admin
Evaluating Identity Policy
Matched rule
Selected Identity Store -
TACACS+ will use the password prompt from global TACACS+ configuration.
Returned TACACS+ Authentication Reply
Received TACACS+ Authentication CONTINUE Request
Using previously selected Access Service
Evaluating Identity Policy
Matched rule
Selected Identity Store -
Authenticating user against Active Directory
User not found in Active Directory
Authenticating user against Active Directory
User not found in Active Directory
Identity sequence completed iterating the IDStores
Subject not found in the applicable identity store(s).
The advanced option that is configured for an unknown user is used.
The 'Reject' advanced option is configured in case of a failed authentication request. 
Returned TACACS+ Authentication Reply

 

 

Comments

  • I don't remember from the top of my head where exactly to go but you need to find the identity store and modify it to include the local store after AD1. Your identity store has AD1, AD1 from what you posted.

    Sent from my iPhone

    On Jun 13, 2015, at 3:08 PM, ais <[email protected]> wrote:

    I have a ACS 5.3 installation. Where I have build my own identity store sequence store. It simple uses AD first and localusers as number two store. My users can login successfully if user existing on AD. But if a user is not exists on AD it should look for localusers, and this part dosent work for me.  I am using Rule based result selection in my identity. 

    The log shows me that ACS are only using AD and not the localusers. I have changed my advanced option to continue to next store if user are not found. But it dosent work.

    Has anybody seen this problem before?

     

    This is the authentication log:

     

    Status:    Failed
    Failure Reason:    22056 Subject not found in the applicable identity store(s).

    Logged At:    May 02, 2015 3:41 PM
    ACS Time:    May 02, 2015 3:41 PM
    ACS Instance:    MYACS

    Authentication Method:    PAP_ASCII
    Authentication Type:    ASCII
    Privilege Level:    1
    User
    Username:    test-username

    Remote Address:    22.50.189.20
    Network Device
    Network Device:    mydevice

    Network Device IP Address:    172.116.118.10
    Network Device Groups:    Device Type:All Device Types:Switche-intra, Location:All Locations:Data-
    Access Policy
    Access Service:    Default Device Admin

    Identity Store:    
    Selected Shell Profile:    
    Active Directory Domain:    mypc.mydomain.local
    Identity Group:    
    Access Service Selection Matched Rule :    Rule-2
    Identity Policy Matched Rule:    Rule-1
    Selected Identity Stores:    AD1, AD1 ??
    Query Identity Stores:    
    Selected Query Identity Stores:    
    Group Mapping Policy Matched Rule:    
    Authorization Policy Matched Rule:    
    Authorization Exception Policy Matched Rule:    
    Other
    ACS Session ID:    s8897886
    Service:    Login
    AV Pairs:    
    Response Time:    9
    Other Attributes:    ACSVersion=acs-5.3.0.40-B.839
    ConfigVersionId=112
    Device Port=18417
    Protocol=Tacacs
    Type=Authentication
    Action=Login
    Port=tty3
    Action=Login
    Port=tty3

     

    Received TACACS+ Authentication START Request
    Evaluating Service Selection Policy
    Matched rule
    Selected Access Service - Default Device Admin
    Evaluating Identity Policy
    Matched rule
    Selected Identity Store -
    TACACS+ will use the password prompt from global TACACS+ configuration.
    Returned TACACS+ Authentication Reply
    Received TACACS+ Authentication CONTINUE Request
    Using previously selected Access Service
    Evaluating Identity Policy
    Matched rule
    Selected Identity Store -
    Authenticating user against Active Directory
    User not found in Active Directory
    Authenticating user against Active Directory
    User not found in Active Directory
    Identity sequence completed iterating the IDStores
    Subject not found in the applicable identity store(s).
    The advanced option that is configured for an unknown user is used.
    The 'Reject' advanced option is configured in case of a failed authentication request. 
    Returned TACACS+ Authentication Reply

     

     




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
  • Hi again. 

    If you mean that I have to select AD and internal users (showen below). Then it´s already done. In this example I am showing Internal Users and AD is selected. In my production the AD is before Internal Users. 

     

    image

  • Ok great. Can you confirm in production you have the right identity store referenced? The first output showed AD1 twice.

    Sent from my iPhone

    On Jun 14, 2015, at 5:31 AM, ais <[email protected]> wrote:

    Hi again. 

    If you mean that I have to select AD and internal users (showen below). Then it´s already done. In this example I am showing Internal Users and AD is selected. In my production the AD is before Internal Users. 

     




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
Sign In or Register to comment.