Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1915
Views
0
Helpful
4
Replies

Configuring ACS to strip domain from request and sending it to AD

C.BYELONG_2
Level 1
Level 1

‎07-25-2011 06:02 AM - edited ‎03-10-2019 06:15 PM

Hi, We are currently evaluating a ACS 1121 running 5.2, we are trying to configure this to Authenticate eap-peap requests.

Our users will be using credentials in a username@example.com format, if the server sees a request using username@anotherrealm.com then it would forward the request to a external proxy radius server, if the server saw a request for our domain it would strip off the @example.com part and authenticate against AD.

Im finding it hard locating documentation to tell the server if a request comes from a NAS using username@example.com then strip @example.com and authenticate username against AD, I would have thought this is a common scenarion, could anyone help ?

Thanks

Labels:
0 Helpful
4 Replies 4

drstanic
Cisco Employee
Cisco Employee

‎07-25-2011 04:32 PM

Hi Colin,

I believe this is what you're looking for:

1. Go to Access Policies > Access Services > Defaunt Network Access > Identity

2. Click on the radio-button for "Rule based result selection" (if not already selected).

3. Click on "Customize" (bottom right-hand corner of the GUI). A pop-up window will appear allowing you to select the conditions you would like to have available when creating the identity policies

4. Move the "Compound Condition" option from the Available list to the Selected list and then click "OK".

5. Click on "Create" (bottom left-hand corner of the GUI). A window will appear allowing you to create the identity policy.

6. Give the rule a name

7. Check the box next to "Compound Condition"

8. From the "Dictionary" drop-down list select "System"

9. Click on the "Select" button next to the "Attribute" field. Another window will pop-up with a list of available attributes. Select "UserName" and then click "OK".

10. From the "Operator" drop-down list select "ends with"

11. In the "Value" field enter "@example.com".

12. Click on the "Add \/" button to add the condition to the condition set.

13. In the "Results" section of the identity policy, click on the "Select" button next to the "Identity Source" field. A window will appear allowing you to select the Identity Store that you would like to authenticate against. Select the appropriate identity store and then click "OK".

14. Click "OK" on the Identity Policy. This will add the policy to the list and will take you back to the main ACS gui.

15. Click on "Save Changes" at the bottom of the GUI to save Identity Policy you've just created.

Please let me know if this helps!

Best regards,

Dragana

0 Helpful

C.BYELONG_2
Level 1
Level 1
In response to drstanic

‎07-26-2011 03:43 AM

Hi Dragana,

Thanks for your answer, its not quite what I was looking for, I was looking for a way to tell ACS to send authentication requests for username@example.com to AD but strip the @example.com part away from the request before it authenticates against AD, this is what we currently have in place on a opensource radius server.

Thanks

Colin

0 Helpful

drstanic
Cisco Employee
Cisco Employee
In response to C.BYELONG_2

‎07-26-2011 04:55 PM

Hi Colin,

Sorry, I missed the 2nd part of your question. I read the first part and understood it as a question about how to get the ACS to authenticate a user against a particular identity store depending on what the username was appended to (eg. @example.com).

As far as I know, it is not possible to strip the @example.com part before authenticating against AD. However it is possible with LDAP:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/users_id_stores.html#wp1139926

If you don't mind me asking, what is the reason behind wanting to strip off the @example.com part when authenticating against AD?

Best regards,

Dragana

0 Helpful

C.BYELONG_2
Level 1
Level 1
In response to drstanic

‎07-27-2011 03:33 AM

Hi Dragana,

Thanks for the reply, we have the requirement to stip the realm before the request gets sent to AD because the userids in AD are the same as the usernames in the request, this is how it currently works in the current set-up with a opensource radius server, the server is part of a radius proxy hierarchy so users need to send requests in username@realm format to reach the correct server, when it reaches the correct server the @realm part will be stripped off the request and the username will be authenticated against AD.

Thanks for your help

Colin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents