07-25-2011 06:02 AM - edited 03-10-2019 06:15 PM
Hi, We are currently evaluating a ACS 1121 running 5.2, we are trying to configure this to Authenticate eap-peap requests.
Our users will be using credentials in a username@example.com format, if the server sees a request using username@anotherrealm.com then it would forward the request to a external proxy radius server, if the server saw a request for our domain it would strip off the @example.com part and authenticate against AD.
Im finding it hard locating documentation to tell the server if a request comes from a NAS using username@example.com then strip @example.com and authenticate username against AD, I would have thought this is a common scenarion, could anyone help ?
Thanks
07-25-2011 04:32 PM
Hi Colin,
I believe this is what you're looking for:
1. Go to Access Policies > Access Services > Defaunt Network Access > Identity
2. Click on the radio-button for "Rule based result selection" (if not already selected).
3. Click on "Customize" (bottom right-hand corner of the GUI). A pop-up window will appear allowing you to select the conditions you would like to have available when creating the identity policies
4. Move the "Compound Condition" option from the Available list to the Selected list and then click "OK".
5. Click on "Create" (bottom left-hand corner of the GUI). A window will appear allowing you to create the identity policy.
6. Give the rule a name
7. Check the box next to "Compound Condition"
8. From the "Dictionary" drop-down list select "System"
9. Click on the "Select" button next to the "Attribute" field. Another window will pop-up with a list of available attributes. Select "UserName" and then click "OK".
10. From the "Operator" drop-down list select "ends with"
11. In the "Value" field enter "@example.com".
12. Click on the "Add \/" button to add the condition to the condition set.
13. In the "Results" section of the identity policy, click on the "Select" button next to the "Identity Source" field. A window will appear allowing you to select the Identity Store that you would like to authenticate against. Select the appropriate identity store and then click "OK".
14. Click "OK" on the Identity Policy. This will add the policy to the list and will take you back to the main ACS gui.
15. Click on "Save Changes" at the bottom of the GUI to save Identity Policy you've just created.
Please let me know if this helps!
Best regards,
Dragana
07-26-2011 03:43 AM
Hi Dragana,
Thanks for your answer, its not quite what I was looking for, I was looking for a way to tell ACS to send authentication requests for username@example.com to AD but strip the @example.com part away from the request before it authenticates against AD, this is what we currently have in place on a opensource radius server.
Thanks
Colin
07-26-2011 04:55 PM
Hi Colin,
Sorry, I missed the 2nd part of your question. I read the first part and understood it as a question about how to get the ACS to authenticate a user against a particular identity store depending on what the username was appended to (eg. @example.com).
As far as I know, it is not possible to strip the @example.com part before authenticating against AD. However it is possible with LDAP:
If you don't mind me asking, what is the reason behind wanting to strip off the @example.com part when authenticating against AD?
Best regards,
Dragana
07-27-2011 03:33 AM
Hi Dragana,
Thanks for the reply, we have the requirement to stip the realm before the request gets sent to AD because the userids in AD are the same as the usernames in the request, this is how it currently works in the current set-up with a opensource radius server, the server is part of a radius proxy hierarchy so users need to send requests in username@realm format to reach the correct server, when it reaches the correct server the @realm part will be stripped off the request and the username will be authenticated against AD.
Thanks for your help
Colin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide