07-20-2007 06:16 AM - edited 03-10-2019 03:17 PM
Hi All,
I'm hoping that someone has come accross a workaround to an age old issue.
I'm currently using ACS 3.3 (Windows Edition) which passes off password authentication to an Active Directory Domain controller. This all works as it should do but my Client wants to use the UPN Name to log onto the Network. The problem is that ACS strips everything after the "@" symbol
joe.bloggs@xxx.com gets passed onto AD as joe.bloggs
Is there any known solution to this issue either from a Cisco or Microsoft perspective.
I have already tried using Microsoft IAS which works perfectly but you lose the logging / security aspects provided by ACS.
Any suggestions would be appreciated.
Elliott
Solved! Go to Solution.
07-21-2007 11:35 AM
Hi,
What you are trying to do would be little difficult, as your SAM and UPN username are different.
But I would suggest you to give this a try,
From External User Databases > Database Configuration ?.
Create a Generic LDAP instance, with following information,
User Directory Subtree : DC=mycompany,DC=com
Group Directory Subtree : DC=mycompany,DC=com
UserObjectType : userPrincipalName
UserObjectClass : person
GroupObjectType : cn
GroupObjectClass : group
Group Attribute Name : member
Hostname :
Port : 389
Admin DN : Administrator@mycompany.com
Password :
Leave rest of the information as default.
And from External User Database > Unknown User Policy > make sure that your newly created Generic LDAP is at top of windows.
NOTE : I have taken User Directory Subtree and Group Directory Subtree from the root of the tree, if you have a large tree, then i would prefer to be specific where the users are and where the groups are, rather then searching the whole tree.
Give this a try, it should let users using username as UPN format, to be able to authenticate, and if they use SAM account name, then ACS will look for next database after Generic LDAP, i.e. Windows.
Regards,
Prem
07-20-2007 07:39 AM
Elliot,
Please check
acs--->External user db---> Database configuration---->Windows---> choose domain --->configure---->Configure Domain Lists--->Make sure that you domain name is under available domain box
Let me know how that goes !
Regards,
~JG
07-20-2007 07:53 AM
Hi JG,
The Windows Domains are listed and selected, the problem I am suffering is that the username does is not a direct match for the UPN
Example
----------
UPN = joe.bloggs@mycompany.com
username = Joeb01
----------
If I try logging onto our VPN conecentrator with the User ID Joeb01 then I have no problems.
07-20-2007 08:04 AM
Hi Elliott,
Are you using peap or TLS ? PEAP does not support domain stripping. The client is the one sending the information to ACS. It really doesn't have anything to do with ACS.
Regards,
~JG
07-20-2007 08:12 AM
Nope, not using any forms of EAP. This is purely PAP / CHAP stuff.
Below is a section of an ACS manual which explains how ACS deals with certain usernames
UPN Usernames
ACS supports authentication of usernames in UPN format, such as cyril.yang@example.com or cyril.yang@central-office@example.com.
If the authentication protocol is EAP-TLS, by default, ACS submits the username to Windows in UPN format; however, you can configure ACS to strip from the username all characters after and including the last at symbol (@). For more information, see EAP-TLS Domain Stripping.
For all other authentication protocols that it can support with Windows databases, ACS submits the username to Windows that is stripped of all characters after and including the last at symbol (@). This behavior allows for usernames that contain an at symbol (@). For example:
?If the username received is cyril.yang@example.com, ACS submits to Windows an authentication request containing the username cyril.yang.
?If the username received is cyril.yang@central-office@example.com, ACS submits to Windows an authentication request containing the username cyril.yang@central-office.
07-20-2007 08:27 AM
How users are connecting ? CHAP is not supported with AD. Please provide your network scenario.
07-21-2007 11:35 AM
Hi,
What you are trying to do would be little difficult, as your SAM and UPN username are different.
But I would suggest you to give this a try,
From External User Databases > Database Configuration ?.
Create a Generic LDAP instance, with following information,
User Directory Subtree : DC=mycompany,DC=com
Group Directory Subtree : DC=mycompany,DC=com
UserObjectType : userPrincipalName
UserObjectClass : person
GroupObjectType : cn
GroupObjectClass : group
Group Attribute Name : member
Hostname :
Port : 389
Admin DN : Administrator@mycompany.com
Password :
Leave rest of the information as default.
And from External User Database > Unknown User Policy > make sure that your newly created Generic LDAP is at top of windows.
NOTE : I have taken User Directory Subtree and Group Directory Subtree from the root of the tree, if you have a large tree, then i would prefer to be specific where the users are and where the groups are, rather then searching the whole tree.
Give this a try, it should let users using username as UPN format, to be able to authenticate, and if they use SAM account name, then ACS will look for next database after Generic LDAP, i.e. Windows.
Regards,
Prem
07-26-2007 05:38 AM
Hi Prem,
Just wanted to let you know that your suggestion was spot on and has resolved my issue.
Many Thanks
Elliott
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide