cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
714
Views
0
Helpful
4
Replies
Beginner

Configuring ACS to strip domain from request and sending it to AD

Hi, We are currently evaluating a ACS 1121 running 5.2, we are trying to configure this to Authenticate eap-peap requests.

Our users will be using credentials in a username@example.com format, if the server sees a request using username@anotherrealm.com then it would forward the request to a external proxy radius server, if the server saw a request for our domain it would strip off the @example.com part and authenticate against AD.

Im finding it hard locating documentation to tell the server if a request comes from a NAS using username@example.com then strip @example.com and authenticate username against AD, I would have thought this is a common scenarion, could anyone help ?

Thanks

4 REPLIES 4
Cisco Employee

Configuring ACS to strip domain from request and sending it to A

Hi Colin,

I believe this is what you're looking for:

1. Go to Access Policies > Access Services > Defaunt Network Access > Identity

2. Click on the radio-button for "Rule based result selection" (if not already selected).

3. Click on "Customize" (bottom right-hand corner of the GUI). A pop-up window will appear allowing you to select the conditions you would like to have available when creating the identity policies

4. Move the "Compound Condition" option from the Available list to the Selected list and then click "OK".

5. Click on "Create" (bottom left-hand corner of the GUI). A window will appear allowing you to create the identity policy.

6. Give the rule a name

7. Check the box next to "Compound Condition"

8. From the "Dictionary" drop-down list select "System"

9. Click on the "Select" button next to the "Attribute" field. Another window will pop-up with a list of available attributes. Select "UserName" and then click "OK".

10. From the "Operator" drop-down list select "ends with"

11. In the "Value" field enter "@example.com".

12. Click on the "Add \/" button to add the condition to the condition set.

13. In the "Results" section of the identity policy, click on the "Select" button next to the "Identity Source" field. A window will appear allowing you to select the Identity Store that you would like to authenticate against. Select the appropriate identity store and then click "OK".

14. Click "OK" on the Identity Policy. This will add the policy to the list and will take you back to the main ACS gui.

15. Click on "Save Changes" at the bottom of the GUI to save Identity Policy you've just created.

Please let me know if this helps!

Best regards,

Dragana

Beginner

Configuring ACS to strip domain from request and sending it to A

Hi Dragana,

Thanks for your answer, its not quite what I was looking for, I was looking for a way to tell ACS to send authentication requests for username@example.com to AD but strip the @example.com part away from the request before it authenticates against AD, this is what we currently have in place on a opensource radius server.

Thanks

Colin

Highlighted
Cisco Employee

Re: Configuring ACS to strip domain from request and sending it

Hi Colin,

Sorry, I missed the 2nd part of your question. I read the first part and understood it as a question about how to get the ACS to authenticate a user against a particular identity store depending on what the username was appended to (eg. @example.com).

As far as I know, it is not possible to strip the @example.com part before authenticating against AD. However it is possible with LDAP:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/user/guide/users_id_stores.html#wp1139926

If you don't mind me asking, what is the reason behind wanting to strip off the @example.com part when authenticating against AD?

Best regards,

Dragana

Beginner

Re: Configuring ACS to strip domain from request and sending it

Hi Dragana,

Thanks for the reply, we have the requirement to stip the realm before the request gets sent to AD because the userids in AD are the same as the usernames in the request, this is how it currently works in the current set-up with a opensource radius server, the server is part of a radius proxy hierarchy so users need to send requests in username@realm format to reach the correct server, when it reaches the correct server the @realm part will be stripped off the request and the username will be authenticated against AD.

Thanks for your help

Colin