Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco ACS 5.0 and LDAP groups

Hi all,

having a problem with my new ACS 5.0 installation.

I'm able to read the LDAP-directory and see all need groups.

But when I logon to a switch, my policy-rule, which references to a ldap-group, does not match, it always hits the default-rule.

If I change the default rule to "allow" I'm able to logon.

Any ideas why my rule does not match?

about the directory:

1 group with about 15 users


Subject Objectclass: person

Subject Name Attribute: sAMAccountname

Group Objectclass: group

Group Map Attribute: memberOf

Group Objects Contain Reference to Subject

-> Subjects in Groups are Stored in Member Attribute As: distinguisched name

Subject Search-base point to where the users are stored

Object Search-base point to where the groups are stored

No Username Domain Stripping

regards Dirk

regards, Dirk (Please rate if helpful)
New Member

Re: Cisco ACS 5.0 and LDAP groups

Hi Dirk,

I am having the same issue,

have you solved it ?


New Member

Re: Cisco ACS 5.0 and LDAP groups

Hi together,

I have the same issue with ACS and OpenLDAP.

My LDAP structure

users (ou=users,dc=cisco,dc=de)

objectClass: organisationalUnit




objectClass: account

groups (ou=groups,dc=cisco,dc=de)

objectClass: organisationalUnit


objectClass: groupOfNames

member: (z.B:  uid=user1,ou=users,dc=cisco,dc=de

ACS is beable to read the groups and user from LDAP:


Subject ObjectClass = account

Subject Name Attribute = uid

Group ObjectClass= GroupOfNames

Group Map Attribute = Member

* Group Objects Contain Refererence To Subjects

   * Subjects in Groups Are Stored in Member Attributes As: username

Directory Structure:

- Subject Search Base: ou=users,dc=cisco,dc=de

- Group Search Base: ou=groups,dc=cisco,dc=de


Primary Servers  Connection test bind Succeeded

Number of Subjects: 6

Number of Groups: 3

But when I try to make a Group Mapping (Access Policies) the this rule will never match.

The User will not authenticated, also I don't see a request from ACS to LDAP to authenticate the USER.

ACS shows Failure Reason:  22056 Subject not found in the application identity stores(s)

Did anyone get this run ?

Ciao Andre

Cisco Employee

Re: Cisco ACS 5.0 and LDAP groups

Are you authenticating users against this LDAP database? If so you need to seelct this in the identity policy for the selected/matching user service.

For example, after default installation the identity policy for network access RADIUS requests can be found at:

Access Policies >Access Services >Default Network Access > Identity and is selected in the identity source

New Member

Re: Cisco ACS 5.0 and LDAP groups

HI jrabinow

I did this settings, I use Default Device Admin for Tacacs, and my internal Users match successfull against this rule ;-)

Also I changed the order of operations - Users and Identity Stores - Indentity Store Sequence - LDAP first then Internal Users.

But I never get a Hit Count in the Group Mapping Rule, only the Default Rule match.

Ciao Andre

Cisco Employee

Re: Cisco ACS 5.0 and LDAP groups

Is this RADIUS or TACACS+?

Have you added new access services since installation or using the default ones?

What is selected as the result of identity policy in each of the access services?

On the failure record, can you click on the details icon and copy the detailed steps performed for the request

New Member

Re: Cisco ACS 5.0 and LDAP groups

I use local Users with Tacacs and Radius

LDAP Users are only Tacacs.

I set the protocols for the Service Selection to the following:

- match protocol Radius - Default Network Access

- match protocol Tacacs - Default Device Admin

And the Tacacs HitCount increase when I try to authenticate a LDAP user, so this seems to be working.

No additional service was added.

I configured the nessary Shell-Profiles (Full-Access, Read-Only) and Command Sets (All-Commands), and tested them with the local users , works fine ;-)

Created a Identiy Rule in the Default Device Admin:

* LDAP-RULE -  NDG: All Device Types -> use Identity Store "LDAP-Server"

* Default Rule -> use Internal Users

Group Mapping:

LDAP-Group1 - use Identity Group: Full-Access (Shell Profile) - (Command-Set All Commands)

LDAP-Group2 - use Identity Group: Read-Only (Shell Profile) - (Only PrivLevel 1)

But still get only HitCounts for the Identity Default Rule, the LDAP-Rule never matches

The reselution step of the detailed failure is, Check whether the subject is present in any one of the chosen identity stores.

That will not help me .....

Thx for your help

New Member

Re: Cisco ACS 5.0 and LDAP groups


for me it seem that the ACS is only checking the internal user database.

have you configured a "Identity Store Sequence"?

If not, try to configure on under:

"Users and Identity Stores" -> "Identity Store Sequence" and specifiy the order in which the Directories should be scanned.

then map the "Identity Store Sequence" tp your access-policy

"access polivies" -> "Your Policy" -> "Identity" -> "Singel result selection" -> "Identity Source"

Works fine for me with Local-DB + ActiveDirectory as Identity Store.


regards, Dirk (Please rate if helpful)
New Member

Re: Cisco ACS 5.0 and LDAP groups

Hi Dirk,

i will try that and let you know ....

Ciao Andre

New Member

Re: Cisco ACS 5.0 and LDAP groups

Hi Dirk, Hi jrabinow

thx for the hint ;-)

That was the problem ,  I defined the Identity Store Sequence, but within the Access Policies Indetity, I created two rules, one for all Devices Internal Users, and one for LDAP users, but if the User was not found in one of them the sequence moved to default.

Maybe also because of the Advanced Options, the where default, so no further Rule will be processed.

Now the only rule within Identity is all Devices - Identity Store "LDAP-vy-Internal" created within Identity Store Sequence.

And it works as designed !

Thx again, sometimes we are blind, to see little mistakes.

Ciao Andre

############# Monitor Output ############

AAA Protocol > TACACS+ Authentication Details
Date :
July 19, 2010 2010 18:48:54 PM UTC
Authentication Details
Failure Reason:
    22056 Subject not found in the applicable identity store(s).
Logged At:
Jul 19, 2010 18:48 PM
ACS Time:
Jul 19, 2010 18:48 PM
ACS Instance:
Authentication Method:
Authentication Type:
Privilege Level:
Remote Address:
Network Device
Network Device:
Network Device IP Address:
Network Device Groups:
Device Type:All Device Types:Cisco-7200-Tac, Location:All Locations
Access Policy
Access Service:
    Default Device Admin
Identity Store:

Selected Shell Profile:

Active Directory Domain:

Identity Group:

Access Service Selection Matched Rule :
Identity Policy Matched Rule:
Selected Identity Stores:
Internal Users
Query Identity Stores:

Selected Query Identity Stores:

Group Mapping Policy Matched Rule:

Authorization Policy Matched Rule:

Authorization Exception Policy Matched Rule:

ACS Session ID:
AV Pairs:

Response Time:
Other Attributes:
Device Port=21204
Authentication Result
Received TACACS+ Authentication START Request
Evaluating Service Selection Policy
Matched rule
Selected Access Service - Default Device Admin
Returned TACACS+ Authentication Reply
Received TACACS+ Authentication CONTINUE Request
Using previously selected Access Service
Evaluating Identity Policy
Matched Default Rule
Selected Identity Store -
Current Identity Store does not support the authentication method; Skipping it.
TACACS+ will use the password prompt from global TACACS+ configuration.
Returned TACACS+ Authentication Reply
Received TACACS+ Authentication CONTINUE Request
Using previously selected Access Service
Identity Policy was evaluated before; Identity Sequence continuing
Looking up User in Internal Users IDStore - test3  ######## But this is a LDAP User ########
The user is not found in the internal users identity store.
Subject not found in the applicable identity store(s).
The advanced option that is configured for an unknown user is used.
The 'Reject' advanced option is configured in case of a failed authentication request.
Returned TACACS+ Authentication Reply
Additional Details
Diagnostics ACS Configuration Changes

############# Monitor Output ############

New Member

Re: Cisco ACS 5.0 and LDAP groups

Dirk, I think this solves what I am trying to do but I fail to follow a few of the steps. I am trying to have an Access Policy with both an Identity Group pointing to an Internal Identity Store and an External Group pointing to LDAP. The orignal Policy points only to LDAP and works fine. When I added an Internal Group it wouldn't authenticate and it broke LDAP for that Policy. I will use a resolution that works with one Policy line or two. Not sure which way you guys ended up. Under Identity Store Sequence, I have just the default sequence Identity Search Order. Under the first Retrieval Search List I have my LDAP followed by Internal Users. There is an Additional Retrieval Search List that only lists LDAP. And under Access Policies, Access Services, Default Device Admin, Identity, I have Single result selection selected with Identity Source = Identity Search Order. Advanced Options are Reject Reject Drop. Is that what stops the process after LDAP fails to authenticate? Thanks, Kevin

New Member

Re: Cisco ACS 5.0 and LDAP groups

I will be out of office from 06.09.2010 until 20.09.2010

I will respond to your mail after my return to the office.

Landesbank Baden-Wuerttemberg

Anstalt des oeffentlichen Rechts

Hauptsitze: Stuttgart, Karlsruhe, Mannheim, Mainz

HRA 12704

Amtsgericht Stuttgart

regards, Dirk (Please rate if helpful)
Cisco Employee

Re: Cisco ACS 5.0 and LDAP groups

Please also provide the details information.

To get this do the following:

- go to "Monitoring & Reports > Reports > Catalog > AAA Protocol > TACACS Authentication

You will get the pass fail information summary together with the reason. Click on icon (magnifying glass) for details. You will get a page for the full processing of the request. It will tell you which stores were accessed etc, which rules matched

Can you copy this information

New Member

Re: Cisco ACS 5.0 and LDAP groups

Thx it works now, I attached the Failure Massage


New Member

Re: Cisco ACS 5.0 and LDAP groups


Glad that we were able to solve it.

Enjoy the ACS 5.


regards, Dirk (Please rate if helpful)