I have deployed a pair of Cisco ACS v5.3 in my envirnoment and joined the ACS to my AD. With this, I used the new feature of "Password Type" for internal user and set the internal user password to the external database of AD; meaning to say that for example, I have an AD user of weekwang, on the ACS internal user database I created the same user name of weekwang however setting the user's password type to the AD.
Upon this, I then configure the user 802.1x authentication for the network access. I configured the Identity setting of the access policy to the internal user database. However, the user authentication fails as the ACS cannot find the user in the internal user database.
From the monitor and report log, I see that the user name that the ACS is receiving is Domain\weekwang. Thus, it cannot locate the user from then internal user database.
Thus, I would like to seek for assistance/advice to whether is there any configuration on the ACS that I need to set so that I can strip of the prefix of Domain\ from the receiving user name so that the ACS will receive the user name as just weekwang.
I believe that when we are using PAP as the authentication protocol, the ACS is able to strip the domian prefix. However, my side is using the PEAP MsChapv2 as the authentication protocol and I believe that the TLS tunnel is prevent the ACS from stripping the domain prefix/sufix. Thus, I have also posted another discussion on the issue of when the authentication protocol of PEAP MsChapv2 is used, ACS is not able to strip the domain prefix/sufix. Thus, would you be also able to advice on if that is correct. Please refer to the links below.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...