We have CSACS 3.2(3) where users are configured with an internal SecurID account, with the unknown user policy set up to query our Windows 2000 AD for wireless users. A user might have two entries in the database: a static "matt.melbourne" RSA SecurID username in the internal database (for VPN access) and a MYDOMAIN\matt.melbourne user created through a dynamic group mapping for wireless authentication.
The Cisco wireless client prepends the domain name to the username and passes this to ACS for authentication, which then queries the AD through the Unknown User Policy. However, some wireless clients (including the Cisco Secure Services Client) don't appear to prepend the domain name and when authenticating wirelessly, the username e.g. "matt.melbourne" only is presented. This matches the SecurID user in the internal database and the authentication fails.
Is there a way around this? Ideally, I like to say if the request comes from this group of NASes (e.g. APs) then only query the Windows 2000 AD database.