Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PEAP authentication failure - different domain name

Hi There,

I am experiencing a problem in setting up PEAP authentication between XP WLAN client(Dell) and

ACS(v4.1). Hope to get some helpful ideas here.

Due to a design limitation, the domain name we want our user to use for their user id and the domain name of our AD is slightly different. For example, the user has to use joe_user@yyy.com as the WLAN id and the AD domain name is xxx.yyy.com.

When I use the name joe_user@xxx.yyy.com, the authentication was successful.. But if I use joe_user@yyy.com, it failed.

I read in the ACS manual that it should not care about the domain name. It will strip the domain name and only use the user id "joe_user" in this case to authenticate. If this is true, why there's the difference?

<UPN Username description in manual, page 12-9 in 4.1 user guide>

UPN Usernames

ACS supports authentication of usernames in UPN format, such as cyril.yang@example.com or cyril.yang@central-office@example.com.

If the authentication protocol is EAP-TLS, by default, ACS submits the username to Windows in UPN format. For all other authentication protocols that it can support with Windows databases, ACS submits the username to Windows that is stripped of all characters after and including the last at symbol (@). This behavior allows for usernames that contain an at symbol (@). For example:

•If the username received is cyril.yang@example.com, ACS submits to Windows an authentication request containing the username cyril.yang.

•If the username received is cyril.yang@central-office@example.com, ACS submits to Windows an authentication request containing the username cyril.yang@central-office.

</UPN Username>

Thanks in advance,

kng

310
Views
0
Helpful
0
Replies