https://community.cisco.com/t5/network-access-control/acs-5-2-selection-policy-access-service-attribute-question/m-p/1625983#M325695 <P>hello</P><P></P><P>i'm using ACS 5.2.0.26 and have created Service Selection Policys to authenticate wireless PEAP clients based on the domain suffix used by the clients. if i use the RADIUS attribute RADIUS-IETF:User-Name to do this, am i right in saying that this matches the "Roaming Identity" as opposed to the users actual login id?</P><P></P><P>Under Access Services i can use the attribute System:UserName which does match based on the clients actual login id . My questions are:</P><P></P><P>Does the RADIUS-IETF:User-Name attribute match "Roaming Identity"?</P><P>I can use the System:UserName attribute with an Access Service but not it seems with a Service Selection Policy. Why is this?</P><P></P><P>Thanks</P><P>Andy</P> Mon, 11 Mar 2019 00:40:05 GMT andrewswanson 2019-03-11T00:40:05Z https://community.cisco.com/t5/network-access-control/acs-5-2-selection-policy-access-service-attribute-question/m-p/1625983#M325695 <P>hello</P><P></P><P>i'm using ACS 5.2.0.26 and have created Service Selection Policys to authenticate wireless PEAP clients based on the domain suffix used by the clients. if i use the RADIUS attribute RADIUS-IETF:User-Name to do this, am i right in saying that this matches the "Roaming Identity" as opposed to the users actual login id?</P><P></P><P>Under Access Services i can use the attribute System:UserName which does match based on the clients actual login id . My questions are:</P><P></P><P>Does the RADIUS-IETF:User-Name attribute match "Roaming Identity"?</P><P>I can use the System:UserName attribute with an Access Service but not it seems with a Service Selection Policy. Why is this?</P><P></P><P>Thanks</P><P>Andy</P> Mon, 11 Mar 2019 00:40:05 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-selection-policy-access-service-attribute-question/m-p/1625983#M325695 andrewswanson 2019-03-11T00:40:05Z https://community.cisco.com/t5/network-access-control/acs-5-2-selection-policy-access-service-attribute-question/m-p/1625984#M325726 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Does the RADIUS-IETF:User-Name attribute match "Roaming Identity"?</P><P>-&gt; No.The roaming identity is particular to some supplicants and do not always match the username.</P><P> If the Roaming Identity is cleared, %domain%\%username% is the default.</P><P></P><BLOCKQUOTE class="jive-quote"><P>When 802.1x MS RADIUS is used as an authentication server, the server authenticates the device that uses the Roaming Identity user name from Intel PROSet/Wireless software, and ignores the Authentication Protocol MS-CHAP-V2&nbsp; user name. This feature is the 802.1x identity supplied to the&nbsp; authenticator. Microsoft IAS RADIUS accepts only a valid user name&nbsp; (dotNet user) for EAP clients. When 802.1x MS RADIUS is used, enter a&nbsp; valid user name. For all other servers, this is optional. Therefore, it&nbsp; is recommended to use the desired realm (for example, anonymous@myrealm)&nbsp; instead of a true identity.</P></BLOCKQUOTE><P></P><P>I can use the System:UserName attribute with an Access Service but not it seems with a Service Selection Policy. Why is this?</P><P>-&gt; Because that attribute is not valid for Service selection Policy. It was designed this way...nothing we can do.</P><P></P><P></P><P>HTH,<BR />Tiago</P><P></P><P></P><DIV class="jive-rendered-content"><DIV class="jive-rendered-content"><P>--</P><P>If&nbsp; this helps you and/or answers your question please mark the question as&nbsp; "answered" and/or rate it, so other users can easily find it.</P></DIV></DIV></BODY></HTML> Wed, 22 Dec 2010 14:03:26 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-selection-policy-access-service-attribute-question/m-p/1625984#M325726 Tiago Antunes 2010-12-22T14:03:26Z https://community.cisco.com/t5/network-access-control/acs-5-2-selection-policy-access-service-attribute-question/m-p/1625985#M325800 <HTML><HEAD></HEAD><BODY><P>Thanks for the quick and thorough response - yes, i am using Intel PROSet on the client. So is the System:UserName attibute on the ACS always the users correct username regardless of the suplicant used?</P><P></P><P>thanks</P><P>andy</P></BODY></HTML> Wed, 22 Dec 2010 14:19:05 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-selection-policy-access-service-attribute-question/m-p/1625985#M325800 andrewswanson 2010-12-22T14:19:05Z https://community.cisco.com/t5/network-access-control/acs-5-2-selection-policy-access-service-attribute-question/m-p/1625986#M325876 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Yes,</P><P></P><P>That attribute will contain the username searched on the Identity Sources for authentication, regardless of the supplicant software.</P><P></P><P></P><P>HTH,<BR />Tiago</P><P></P><DIV class="jive-rendered-content"><DIV class="jive-rendered-content"><P>--</P><P>If&nbsp; this helps you and/or answers your question please mark the question as&nbsp; "answered" and/or rate it, so other users can easily find it.</P></DIV></DIV></BODY></HTML> Thu, 23 Dec 2010 08:34:52 GMT https://community.cisco.com/t5/network-access-control/acs-5-2-selection-policy-access-service-attribute-question/m-p/1625986#M325876 Tiago Antunes 2010-12-23T08:34:52Z