Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Add AAA realm to username

We have a 3030 running 4.6.x with a fairly simple configuration. Currently we have just one group configured on the concentrator into which all users are placed. We authenticate our users with a radius server. The radius server in turn gets authenticates the users against one of several different unix password files and/or Microsoft Active Directory instances. Users indicate where the radius server should look for their password by appending a realm to their username. For example the radius server looks for “joe@math” in the math department’s active directory, “fred@comsci” in the computer science departments Unix password file.

Now I need to add a second group. This new group needs to be restricted so that users in this group are only authenticated against one specific password file. In other words the radius server needs to only use the chemistry password file for users of this group.

With other systems I’ve worked with this is fairly simple. You configure the remote access device (the concentrator in this case) to remove any realm provided by the user and to append a hard-coded realm. This would ensure that anyone trying to use the new “Chemistry” group on the concentrator would have @chem appended to their username when it is sent to the radius server.

The thing is, I can’t figure out how to do this with the VPN concentrator. I can strip the realm, but then I can’t add a new one. If I use “group lookup” I could tell the users of the Chemistry group to append the @chem themselves, but then when a user of my default group appends their department (i.e. joe@math), the concentrator is going to try to find a group called math.

So, I feel kind of stuck. Any ideas, suggestions or solutions?


Cisco Employee

Re: Add AAA realm to username

Do any of your uses not have to enter in a realm when they authenticate? If every other department has to enter a realm, and the Radius server sends them off to a specific user database based on that, then could you simply have the "chem" users not enter a realm at all, and have the Radius server authenticate non-realm'd users to your chem database. If one of your say, "math" users forgets to add their realm they'll be authenticated against the "chem" DB which will fail, they'll realise their mistake and add their "math" realm and get authenticated correctly.

Or you could set up a 2nd Radius server just for the "chem" users, and under their group on the VPN3000 add in that as an authentication server, that way only the "chem" users will authenticate against that Radius server.

Or, if thre's not too many "chem" users you could simply add them into the VPN3000 local database instead of the Radius DB, then set up the new VPN3000 group to authenticate off the local database.

None of these are great options, but as you said, you can strip the realm but you can't add a new one on unfortunately. Just throwing some ideas out there, maybe one of them'll stick :-)

CreatePlease login to create content