03-11-2007 11:57 PM - edited 03-10-2019 03:02 PM
Windows native 802.1x client sends the username to ACS in the following form "domain\user". I have created user names in ACS without the domain because we want users to be able to use the same login name when logging in to other applications which are not AD domain dependant. Moreover, for telnet access or firewall authentication, we want the users to use only the username and password, without the domain prefix.
I know proxy distribution can accomplish the stripping, but need to find out if there is a way to do it on the same ACS which receives the request?
03-12-2007 06:14 AM
Hi,
On the Switch you can try :-
radius-server domain-stripping
Regards,
Vivek
03-12-2007 06:51 AM
Thanks Vivek but then this will not work for Cisco 1200 Series AP as they don't have this command.
Any other way?
03-12-2007 07:34 AM
Hi,
You can try radius-server directed request.
Regards,
Vivek
03-27-2007 09:08 AM
Thanks Vivek, but I need more help.
I found that the radius-server domain-stripping comman is also present on the Cisco AP {IOS ver 12.3(8)} so it should work. I have configured the following on my AP:
radius-server domain-stripping
also tried the following combinations
radius-server domain-stripping delimiter \
radius-server domain-stripping delimiter \\
In ACS failed attempts (CS user unknown) I still see username as user@domain.com or domain.com\user
A few questions:
1. Do I need additional config on ACS4.0?
2. Do I use RADIUS (Aironet) or RADIUS (IETF) for this AP in ACS?
I have my unknown user policy set to fail and my username 'user' is configured in ACS internal ACS database.
Moreover, how will the AP strip domain.com\user since all examples for this command suggest that username must be at the beginning, which unfortunately is not the case with Windows native 802.1x PEAP.
Also, I am not sure how the 'radius-server directed request' can solve the problem.
Once again thanks for your help.
04-02-2007 11:51 PM
Anyone that can help with this?
04-03-2007 05:40 PM
Looks like the domain-stripping command in the AP [IOS 12.3(8)] has no affect.
Also there is no way to configure VRF on a Cisco 1200 AP.
Can someone verify that?
04-04-2007 04:41 AM
Hi, in my experience domain stripping has the reverse effect to remove the user and send the domain to the ACS !!!
AP 1131AG JEA
ACS 3.2.3
With unknown user policy in ACS the user domain\user is added to the mapping group after authentication
thank you in advance
04-04-2007 09:09 AM
Not really. The cisco documents do say that a username like "user@abc.com" can be passed to RADIUS as "user".
Also with recent enhancements it also supports other delimiter characters as well as have the capability of passing "user@abc.com@xyz.com" as just "user@abc.com" and other combinations.
However, I have not seen any effect of this command for some reason. By the way I am trying with MS-PEAP client sending the 802.1x login request.
04-05-2007 12:23 AM
I'd like the documented behaviour, but I receive the domain as login on the ACS not the user.
Probably this is a bug of the specific version
04-24-2007 02:47 AM
Hi, also with 123-8.JEA1 and 123-11.JA1 the results are the same: why ?
PEAP windows driver sends DOMAIN\USER and it'a a matter !
thank you in advance
RS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide