I'm hoping that someone has come accross a workaround to an age old issue.
I'm currently using ACS 3.3 (Windows Edition) which passes off password authentication to an Active Directory Domain controller. This all works as it should do but my Client wants to use the UPN Name to log onto the Network. The problem is that ACS strips everything after the "@" symbol
[email protected] gets passed onto AD as joe.bloggs
Is there any known solution to this issue either from a Cisco or Microsoft perspective.
I have already tried using Microsoft IAS which works perfectly but you lose the logging / security aspects provided by ACS.
Any suggestions would be appreciated.
What you are trying to do would be little difficult, as your SAM and UPN username are different.
But I would suggest you to give this a try,
From External User Databases > Database Configuration ?.
Create a Generic LDAP instance, with following information,
User Directory Subtree : DC=mycompany,DC=com
Group Directory Subtree : DC=mycompany,DC=com
UserObjectType : userPrincipalName
UserObjectClass : person
GroupObjectType : cn
GroupObjectClass : group
Group Attribute Name : member
Port : 389
Admin DN : [email protected]
Leave rest of the information as default.
And from External User Database > Unknown User Policy > make sure that your newly created Generic LDAP is at top of windows.
NOTE : I have taken User Directory Subtree and Group Directory Subtree from the root of the tree, if you have a large tree, then i would prefer to be specific where the users are and where the groups are, rather then searching the whole tree.
Give this a try, it should let users using username as UPN format, to be able to authenticate, and if they use SAM account name, then ACS will look for next database after Generic LDAP, i.e. Windows.