Solved: ACS stripping UPN

elliott.fougman · ‎07-20-2007

Hi All,

I'm hoping that someone has come accross a workaround to an age old issue.

I'm currently using ACS 3.3 (Windows Edition) which passes off password authentication to an Active Directory Domain controller. This all works as it should do but my Client wants to use the UPN Name to log onto the Network. The problem is that ACS strips everything after the "@" symbol

joe.bloggs@xxx.com gets passed onto AD as joe.bloggs

Is there any known solution to this issue either from a Cisco or Microsoft perspective.

I have already tried using Microsoft IAS which works perfectly but you lose the logging / security aspects provided by ACS.

Any suggestions would be appreciated.

Elliott

Premdeep Banga · ‎07-21-2007

Hi,

What you are trying to do would be little difficult, as your SAM and UPN username are different.

But I would suggest you to give this a try,

From External User Databases > Database Configuration ?.

Create a Generic LDAP instance, with following information,

User Directory Subtree : DC=mycompany,DC=com

Group Directory Subtree : DC=mycompany,DC=com

UserObjectType : userPrincipalName

UserObjectClass : person

GroupObjectType : cn

GroupObjectClass : group

Group Attribute Name : member

Hostname :

Port : 389

Admin DN : Administrator@mycompany.com

Password :

Leave rest of the information as default.

And from External User Database > Unknown User Policy > make sure that your newly created Generic LDAP is at top of windows.

NOTE : I have taken User Directory Subtree and Group Directory Subtree from the root of the tree, if you have a large tree, then i would prefer to be specific where the users are and where the groups are, rather then searching the whole tree.

Give this a try, it should let users using username as UPN format, to be able to authenticate, and if they use SAM account name, then ACS will look for next database after Generic LDAP, i.e. Windows.

Regards,

Prem

View solution in original post

Jagdeep Gambhir · ‎07-20-2007

Elliot,

Please check

acs--->External user db---> Database configuration---->Windows---> choose domain --->configure---->Configure Domain Lists--->Make sure that you domain name is under available domain box

Let me know how that goes !

Regards,

~JG

elliott.fougman · ‎07-20-2007

Hi JG,

The Windows Domains are listed and selected, the problem I am suffering is that the username does is not a direct match for the UPN

Example

----------

UPN = joe.bloggs@mycompany.com

username = Joeb01

----------

If I try logging onto our VPN conecentrator with the User ID Joeb01 then I have no problems.

Jagdeep Gambhir · ‎07-20-2007

Hi Elliott,

Are you using peap or TLS ? PEAP does not support domain stripping. The client is the one sending the information to ACS. It really doesn't have anything to do with ACS.

Regards,

~JG

elliott.fougman · ‎07-20-2007

Nope, not using any forms of EAP. This is purely PAP / CHAP stuff.

Below is a section of an ACS manual which explains how ACS deals with certain usernames

Full URL : http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_user_guide_chapter09186a00802335f3.html#wp353993

UPN Usernames

ACS supports authentication of usernames in UPN format, such as cyril.yang@example.com or cyril.yang@central-office@example.com.

If the authentication protocol is EAP-TLS, by default, ACS submits the username to Windows in UPN format; however, you can configure ACS to strip from the username all characters after and including the last at symbol (@). For more information, see EAP-TLS Domain Stripping.

For all other authentication protocols that it can support with Windows databases, ACS submits the username to Windows that is stripped of all characters after and including the last at symbol (@). This behavior allows for usernames that contain an at symbol (@). For example:

?If the username received is cyril.yang@example.com, ACS submits to Windows an authentication request containing the username cyril.yang.

?If the username received is cyril.yang@central-office@example.com, ACS submits to Windows an authentication request containing the username cyril.yang@central-office.

Jagdeep Gambhir · ‎07-20-2007

How users are connecting ? CHAP is not supported with AD. Please provide your network scenario.

Premdeep Banga · ‎07-21-2007

Hi,

What you are trying to do would be little difficult, as your SAM and UPN username are different.

But I would suggest you to give this a try,

From External User Databases > Database Configuration ?.

Create a Generic LDAP instance, with following information,

User Directory Subtree : DC=mycompany,DC=com

Group Directory Subtree : DC=mycompany,DC=com

UserObjectType : userPrincipalName

UserObjectClass : person

GroupObjectType : cn

GroupObjectClass : group

Group Attribute Name : member

Hostname :

Port : 389

Admin DN : Administrator@mycompany.com

Password :

Leave rest of the information as default.

And from External User Database > Unknown User Policy > make sure that your newly created Generic LDAP is at top of windows.

NOTE : I have taken User Directory Subtree and Group Directory Subtree from the root of the tree, if you have a large tree, then i would prefer to be specific where the users are and where the groups are, rather then searching the whole tree.

Give this a try, it should let users using username as UPN format, to be able to authenticate, and if they use SAM account name, then ACS will look for next database after Generic LDAP, i.e. Windows.

Regards,

Prem

elliott.fougman · ‎07-26-2007

Hi Prem,

Just wanted to let you know that your suggestion was spot on and has resolved my issue.

Many Thanks

Elliott