ACS stripping UPN

Answered Question
Jul 20th, 2007

Hi All,

I'm hoping that someone has come accross a workaround to an age old issue.

I'm currently using ACS 3.3 (Windows Edition) which passes off password authentication to an Active Directory Domain controller. This all works as it should do but my Client wants to use the UPN Name to log onto the Network. The problem is that ACS strips everything after the "@" symbol

[email protected] gets passed onto AD as joe.bloggs

Is there any known solution to this issue either from a Cisco or Microsoft perspective.

I have already tried using Microsoft IAS which works perfectly but you lose the logging / security aspects provided by ACS.

Any suggestions would be appreciated.

Elliott

I have this problem too.
0 votes
Correct Answer by Premdeep Banga about 9 years 6 months ago

Hi,

What you are trying to do would be little difficult, as your SAM and UPN username are different.

But I would suggest you to give this a try,

From External User Databases > Database Configuration ?.

Create a Generic LDAP instance, with following information,

User Directory Subtree : DC=mycompany,DC=com

Group Directory Subtree : DC=mycompany,DC=com

UserObjectType : userPrincipalName

UserObjectClass : person

GroupObjectType : cn

GroupObjectClass : group

Group Attribute Name : member

Hostname :

Port : 389

Admin DN : [email protected]

Password :

Leave rest of the information as default.

And from External User Database > Unknown User Policy > make sure that your newly created Generic LDAP is at top of windows.

NOTE : I have taken User Directory Subtree and Group Directory Subtree from the root of the tree, if you have a large tree, then i would prefer to be specific where the users are and where the groups are, rather then searching the whole tree.

Give this a try, it should let users using username as UPN format, to be able to authenticate, and if they use SAM account name, then ACS will look for next database after Generic LDAP, i.e. Windows.

Regards,

Prem

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jagdeep Gambhir Fri, 07/20/2007 - 07:39

Elliot,

Please check

acs--->External user db---> Database configuration---->Windows---> choose domain --->configure---->Configure Domain Lists--->Make sure that you domain name is under available domain box

Let me know how that goes !

Regards,

~JG

Jagdeep Gambhir Fri, 07/20/2007 - 08:04

Hi Elliott,

Are you using peap or TLS ? PEAP does not support domain stripping. The client is the one sending the information to ACS. It really doesn't have anything to do with ACS.

Regards,

~JG

elliott.fougman Fri, 07/20/2007 - 08:12

Nope, not using any forms of EAP. This is purely PAP / CHAP stuff.

Below is a section of an ACS manual which explains how ACS deals with certain usernames

Full URL : http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a00802335f3.html#wp353993

UPN Usernames

ACS supports authentication of usernames in UPN format, such as [email protected] or cyril.yang@[email protected].

If the authentication protocol is EAP-TLS, by default, ACS submits the username to Windows in UPN format; however, you can configure ACS to strip from the username all characters after and including the last at symbol (@). For more information, see EAP-TLS Domain Stripping.

For all other authentication protocols that it can support with Windows databases, ACS submits the username to Windows that is stripped of all characters after and including the last at symbol (@). This behavior allows for usernames that contain an at symbol (@). For example:

?If the username received is [email protected], ACS submits to Windows an authentication request containing the username cyril.yang.

?If the username received is cyril.yang@[email protected], ACS submits to Windows an authentication request containing the username [email protected]-office.

Jagdeep Gambhir Fri, 07/20/2007 - 08:27

How users are connecting ? CHAP is not supported with AD. Please provide your network scenario.

Correct Answer
Premdeep Banga Sat, 07/21/2007 - 11:35

Hi,

What you are trying to do would be little difficult, as your SAM and UPN username are different.

But I would suggest you to give this a try,

From External User Databases > Database Configuration ?.

Create a Generic LDAP instance, with following information,

User Directory Subtree : DC=mycompany,DC=com

Group Directory Subtree : DC=mycompany,DC=com

UserObjectType : userPrincipalName

UserObjectClass : person

GroupObjectType : cn

GroupObjectClass : group

Group Attribute Name : member

Hostname :

Port : 389

Admin DN : [email protected]

Password :

Leave rest of the information as default.

And from External User Database > Unknown User Policy > make sure that your newly created Generic LDAP is at top of windows.

NOTE : I have taken User Directory Subtree and Group Directory Subtree from the root of the tree, if you have a large tree, then i would prefer to be specific where the users are and where the groups are, rather then searching the whole tree.

Give this a try, it should let users using username as UPN format, to be able to authenticate, and if they use SAM account name, then ACS will look for next database after Generic LDAP, i.e. Windows.

Regards,

Prem

elliott.fougman Thu, 07/26/2007 - 05:38

Hi Prem,

Just wanted to let you know that your suggestion was spot on and has resolved my issue.

Many Thanks

Elliott

Actions

This Discussion