AD Domain Stripping

magurwara · ‎03-11-2007

Windows native 802.1x client sends the username to ACS in the following form "domain\user". I have created user names in ACS without the domain because we want users to be able to use the same login name when logging in to other applications which are not AD domain dependant. Moreover, for telnet access or firewall authentication, we want the users to use only the username and password, without the domain prefix.

I know proxy distribution can accomplish the stripping, but need to find out if there is a way to do it on the same ACS which receives the request?

Vivek Santuka · ‎03-12-2007

Hi,

On the Switch you can try :-

radius-server domain-stripping

Regards,

Vivek

magurwara · ‎03-12-2007

Thanks Vivek but then this will not work for Cisco 1200 Series AP as they don't have this command.

Any other way?

Vivek Santuka · ‎03-12-2007

Hi,

You can try radius-server directed request.

Regards,

Vivek

magurwara · ‎03-27-2007

Thanks Vivek, but I need more help.

I found that the radius-server domain-stripping comman is also present on the Cisco AP {IOS ver 12.3(8)} so it should work. I have configured the following on my AP:

radius-server domain-stripping

also tried the following combinations

radius-server domain-stripping delimiter \

radius-server domain-stripping delimiter \\

In ACS failed attempts (CS user unknown) I still see username as user@domain.com or domain.com\user

A few questions:

1. Do I need additional config on ACS4.0?

2. Do I use RADIUS (Aironet) or RADIUS (IETF) for this AP in ACS?

I have my unknown user policy set to fail and my username 'user' is configured in ACS internal ACS database.

Moreover, how will the AP strip domain.com\user since all examples for this command suggest that username must be at the beginning, which unfortunately is not the case with Windows native 802.1x PEAP.

Also, I am not sure how the 'radius-server directed request' can solve the problem.

Once again thanks for your help.

magurwara · ‎04-02-2007

Anyone that can help with this?

magurwara · ‎04-03-2007

Looks like the domain-stripping command in the AP [IOS 12.3(8)] has no affect.

Also there is no way to configure VRF on a Cisco 1200 AP.

Can someone verify that?

r.spiandorello · ‎04-04-2007

Hi, in my experience domain stripping has the reverse effect to remove the user and send the domain to the ACS !!!

AP 1131AG JEA

ACS 3.2.3

With unknown user policy in ACS the user domain\user is added to the mapping group after authentication

thank you in advance

magurwara · ‎04-04-2007

Not really. The cisco documents do say that a username like "user@abc.com" can be passed to RADIUS as "user".

Also with recent enhancements it also supports other delimiter characters as well as have the capability of passing "user@abc.com@xyz.com" as just "user@abc.com" and other combinations.

However, I have not seen any effect of this command for some reason. By the way I am trying with MS-PEAP client sending the 802.1x login request.

r.spiandorello · ‎04-05-2007

I'd like the documented behaviour, but I receive the domain as login on the ACS not the user.

Probably this is a bug of the specific version

r.spiandorello · ‎04-24-2007

Hi, also with 123-8.JEA1 and 123-11.JA1 the results are the same: why ?

PEAP windows driver sends DOMAIN\USER and it'a a matter !

thank you in advance

RS