AD Domain Stripping

Unanswered Question
Mar 11th, 2007

Windows native 802.1x client sends the username to ACS in the following form "domain\user". I have created user names in ACS without the domain because we want users to be able to use the same login name when logging in to other applications which are not AD domain dependant. Moreover, for telnet access or firewall authentication, we want the users to use only the username and password, without the domain prefix.

I know proxy distribution can accomplish the stripping, but need to find out if there is a way to do it on the same ACS which receives the request?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
magurwara Mon, 03/12/2007 - 06:51

Thanks Vivek but then this will not work for Cisco 1200 Series AP as they don't have this command.

Any other way?

magurwara Tue, 03/27/2007 - 09:08

Thanks Vivek, but I need more help.

I found that the radius-server domain-stripping comman is also present on the Cisco AP {IOS ver 12.3(8)} so it should work. I have configured the following on my AP:

radius-server domain-stripping

also tried the following combinations

radius-server domain-stripping delimiter \

radius-server domain-stripping delimiter \\

In ACS failed attempts (CS user unknown) I still see username as [email protected] or\user

A few questions:

1. Do I need additional config on ACS4.0?

2. Do I use RADIUS (Aironet) or RADIUS (IETF) for this AP in ACS?

I have my unknown user policy set to fail and my username 'user' is configured in ACS internal ACS database.

Moreover, how will the AP strip\user since all examples for this command suggest that username must be at the beginning, which unfortunately is not the case with Windows native 802.1x PEAP.

Also, I am not sure how the 'radius-server directed request' can solve the problem.

Once again thanks for your help.

magurwara Tue, 04/03/2007 - 17:40

Looks like the domain-stripping command in the AP [IOS 12.3(8)] has no affect.

Also there is no way to configure VRF on a Cisco 1200 AP.

Can someone verify that?

r.spiandorello Wed, 04/04/2007 - 04:41

Hi, in my experience domain stripping has the reverse effect to remove the user and send the domain to the ACS !!!


ACS 3.2.3

With unknown user policy in ACS the user domain\user is added to the mapping group after authentication

thank you in advance

magurwara Wed, 04/04/2007 - 09:09

Not really. The cisco documents do say that a username like "[email protected]" can be passed to RADIUS as "user".

Also with recent enhancements it also supports other delimiter characters as well as have the capability of passing "[email protected]" as just "[email protected]" and other combinations.

However, I have not seen any effect of this command for some reason. By the way I am trying with MS-PEAP client sending the 802.1x login request.

r.spiandorello Thu, 04/05/2007 - 00:23

I'd like the documented behaviour, but I receive the domain as login on the ACS not the user.

Probably this is a bug of the specific version

r.spiandorello Tue, 04/24/2007 - 02:47

Hi, also with 123-8.JEA1 and 123-11.JA1 the results are the same: why ?

PEAP windows driver sends DOMAIN\USER and it'a a matter !

thank you in advance



This Discussion